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Hugh  Cumming.  CIO  for  ADP  Employer 
Services  Canada,  says  that  to  fix  the  require¬ 
ments  mess,  CIOs  need  to  take  a  leadership 
position  and  learn  to  say  no— or  at  least 
not  yet— to  business  requests. 
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A  Special  Report  on  Building  Better  Software 
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11  Rules  for  Improving  Software  Testing  Page  63 
5  Questions  to  Ask  Your  Development  Manager  Page  38 
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IBM  WEBSPHERE  PRESENTS 


Vftl  |  uc  REWRITE,  REVISE 

TUU  l5  RE-EVERYTHING 

INFLEXIBILITY:  MEET  SOA  HHHMHaBH 


PLUS:  TANGIBLE  BUSINESS  BENEFITS  ★  BEST  PRACTICES  FOR  BEST  RESULTS 

OVER  10  YEARS  OF  WORLD-CLASS  INTEGRATION  EXPERTISE 


A  FASTER,  EASIER  WAY  TO 
IMPLEMENT  TRUE  SOA 


IBM  MIDDLEWARE.  POWERFUL.  PROVEN. 

FIGHT  BACK  AT  WWW.IBM.COM/MIDDLEWARE/SOA.  THIS  IS  A  RIP-AND-REPLACE-FREE  EVENT. 

IBM,  the  IBM  logo  and  WebSphere  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporation 
in  the  United  States  and/or  other  countries.  ©2005  IBM  Corporation.  All  rights  reserved. 
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The  new  Canon  imageRUNNER  solutions  and  support  addressed 
Don's  concerns  about  seamless  network  integration,  secured  printing 
and  managing  network  devices.  Hence,  Don's  no  longer  concerned. 


Don’s  company  isn’t  doing  business  as  usual.  What  about  your  company?  We’re  well  aware  of  your  daily  challenges  as  the 
gatekeeper  of  your  company’s  network.  And  we  totally  understand.  That’s  why  Canon’s  imageRUNNER®  solutions  are  raising  the  bar  for 
how  well  network  devices  work  and  how  seamlessly  they’re  integrated.  You’ll  appreciate  enhanced  security  features  that  include  a 
secured  print  function  for  document  confidentiality,  user  authentication,  NetSpot®  and  Remote  Ul™  for  easily  managing  network  devices. 
In  addition,  you  get  entirely  new  systems  across  our  full  line  of  imageRUNNER  solutions,  which  offer  intuitive  technology  that  works  with 
you,  not  against  you.  You  can  also  expect  your  current  investment  to  be  leveraged,  your  concerns  to  be 

addressed  and  the  potential  of  your  workday  to  be  expanded.  Which  means  no  more  business  as  usual.  1 1  | 

1-800-OK-CANON  www.imagerunner.com 

Canon  IMAGERUNNER  ana  NetSpot  are  registered  trademarks  of  Canon  Inc  .  in  tne  United  States  and  may  also  be  registered  trademarks  in  other  countries  IMAGEANYWARE  and  Remote  Ul  are  trademarks  of 
Canon  U  S  A  .  inc  O  2005  Canon  U  S  A  .  Inc  All  rights  reserved  Products  shown  with  optional  accessories 


imageANYWARE 


“The  list  of  people 
who  would  have  the 
most  to  contribute 
to  a  requirements 
list  always  ends  up 
beingsmaWinmy 
expeibnce.” 


-HUGH  CUMMING, 
CIO  OF  ADP  EMPLOYER 
SERVICES  CANADA 
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Software  and  Systems 

COVER  STORY  |  FIXING  THE  REQUIREMENTS  MESS  |  52 

The  requirements  process— literally,  deciding  what  should  be 
included  in  software— is  destroying  projects  in  ways  that  aren’t 
evident  until  it’s  too  late.  Some  CIOs  are  stepping  in  to  rewrite 
the  rules.  Feature  by  Christopher  Lindquist 
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INSIDE  THE  SOFTWARE  TESTING  QUAGMIRE  |  38 

Software  testing  reveals  the  human  failings  behind  the  code.  That’s  why  it  can  become 
a  never-ending  exercise  in  denial.  Here  are  five  questions  CIOs  can  ask  to  cut  through 
to  testing’s  root  problems.  Column  by  Paul  Garbaczeski 

TESTING,  1,  2,  3. ..11  |  63 

Next  to  requirements,  testing  is  the  most  overlooked,  most  underfunded,  most  rushed, 
yet  most  critical  aspect  of  the  software  development  cycle.  Here  are  11  ways  to  boost 
the  level  of  success.  Feature  by  Meridith  Levinson 
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The  Most  Important  Skill  j  The  long-standing 
debate  over  whether  schools  should  stress 
technology  or  business,  theory  or  practice,  may 
be  missing  the  point.  The  key  skill  to  teach  is 
always  communication.  By  Abbie  Lundberg 


7 

4 


After  an  initial  outsourcing  attempt 
failed.  Farrell  Delman  CIO  of  the 
Tobacco  Merchants  Association, 
succeeded  in  his  second  attempt 
because  he  allowed  time  for  his 
company  and  its  outsourcer  to  learn 
one  another’s  capabilities  and  needs. 


From  the  Publisher  I  84 

Certifiably  Sane  |  Not  certifying  IT  workers’ 
cross-platform  knowledge  borders  on  madness. 
By  Gary  Beach 

Inbox  I  14 

Index | 86 

Executive  Summaries  I  88 


IT  Value 

KEEPING  UP  WITH  THE  MERRILL  LYNCHES  |  68 

The  CEO  of  The  Options  Clearing  Corp.  knows  his  company  lives 
or  dies  by  the  strength  of  its  IT.  Maybe  that’s  why  he  isn’t  so  hung 
up  on  cutting  costs  and  hitting  deadlines. 

A  View  from  the  Top  interview  by  Ben  Worthen 

Outsourcing 

OFFSHORE  ALLIES  |  74 

When  client  and  vendor  jointly  manage  a  project,  especially  when 
the  vendor  is  offshore,  success  requires  CIO  oversight  and  strong 
capabilities  from  both  sides.  Feature  by  Stephanie  Overby 

The  Workplace 

INNOVATION  ALCHEMY  |  34 

One  of  the  most  important  things  CIOs  can  create  is  the  right  mix 
of  healthy  environment  and  reliable  process  in  order  to  foster 
innovation.  Column  by  Michael  Schrage 
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Wh(o)t's  Hot  Online 


Read  more  about  the  original  research  conducted  by 
MIT’s  Center  for  Information  Systems  Research  and 
CIO  in  our  online  SPECIAL  REPORTS  section.  You’ll 
also  find  reports  on  the  Balanced  Scorecard,  running 
IT  like  a  business,  grid  computing  and  much  more. 
Go  to  www.cio.com/specialreports. 


Samsung  displays.  Turn 
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The  Samsung  242MP  display.  Explore  more  of  what’s  out  there. 

One  look  and  you'll  see  how  the  combination  of  a  computer  display,  a  television  and  a  radio 
can  become  your  ultimate  source  of  knowledge.  And  why  Samsung  is  the  leading  display 
brand  in  the  world.'  So  when  you're  serious  about  business,  turn  on  a  Samsung.  And  turn 
yourself  on  to  a  whole  new  way  of  seeing  things,  www.samsung.com/monitor 


C2QQ5  Samsung  E  ectronics  America,  Inc.  Samsung  is  a  registered  trademark  of  Samsung  E  ectron  cs 
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Microsoft  Corporation  in  the  United  States  and/or  other  countries.  The  names  of  actual  companies  and  products  mentioned  herein  may  be  the  trademarks  of  their  respective  owners. 


□  CAN  IT  HELP  CONTROL  COSTS  AS  WE  GROW 


□  CAN  WE  DEPLOY  IT  QUICKLY  -. 

□  HOW  RELIABLE  IS  IT 

□  ARE  THERE  HIDDEN  COSTS 


Microsoft 


EfGETTHE  FACTS. 


RAYOVAC  CHOSE  WINDOWS  SERVER  SYSTEM  AND  EXPECTS  TO  SAVE 
NEARLY  ONE  MILLION  DOLLARS. 


"By  choosing  Windows  Server™  over  Linux  for  our  new  SAP  APO  solution,  we'll  save  an 
estimated  one  million  dollars  in  software,  staffing,  and  support  costs  over  the  first  four  years. 
We  needed  performance,  security  enhancements,  and  reliability  at  a  reasonable  price, 
and  Linux  would  have  presented  additional  risks  in  all  of  those  areas.  It  may  be  the  new 
thing  from  a  technical  perspective,  but  Linux  doesn't  cut  it  from  a  business  perspective — 

I  need  a  proven  IT  environment  that  I'm  sure  we  can  support." 

-Rick  Dempsey,  Chief  Information  Officer,  Rayovac 


RAYOVAC 


For  these  and  other  third-party  findings,  go  to  microsoft.com/getthefacts 
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The  Most 

Important 

Skill 


The  long-standing  debate 
over  whether  schools 
should  stress  technology 
or  business,  theory  or  prac¬ 
tice,  may  be  missing  the 
point.  The  key  skill  to  teach 
is  always  communication. 


I'm  participating  in  a  panel  discussion  on  the  future  of  IT  education  at  one  of  our  local 
business  schools  this  week.  I’ve  been  asked  to  bring  the  industry  perspective:  What  do  real 
organizations  really  need  their  IT  professionals  to  know? 

This  discussion  has  been  going  on  for  some  time  now  within  both  the  academic  and  busi¬ 
ness  communities,  and  it  typically  revolves  around  the  question  of  how  much  technology 
knowledge  should  be  taught  in  the  schools  versus  general  business  knowledge  and  man¬ 
agement  skills.  Clearly  this  is  not  an  either/or  question;  good  IT  professionals  need  both, 
and  everyone  knows  that.  It’s  more  a  question  of  proportion  (how  much  technology,  how 
much  business  management)  and  philosophy  (how  much  theory,  how  much  practice). 

It  seems  to  me  that  the  issue  of  requirements  definition  and  management— whether  for 
system  capabilities  or  for  broader  sets  of  project  specs— offers  some  pertinent  lessons  that 
may  not  resolve  but  at  least  clarify  this  debate.  For  instance,  in  our  cover  story,  “Fixing  the 
Requirements  Mess”  on  Page  52,  Technology  Editor  Christopher  Lindquist  reports  that 
70  percent  of  software  project  failure  can  be  attributed  to  poor  requirements  manage¬ 
ment.  Seventy  percent!  That  means  that  if  only  people  were  able  to  agree  to  what,  precisely 
and  minimally,  they  need  a  system  to  do  and  to  stick  to  it,  there  would  be  70  percent  fewer 
software  project  failures,  even  if  nothing  were  done  to  improve  bad  code  or  poor  project¬ 
or  change-management  discipline.  This  is  astonishing. 

And  in  “Offshore  Allies,”  Page  74,  the  second  of  a  three-part  series  on  outsourcing  strate¬ 
gies  and  models,  Senior  Editor  Stephanie  Overby  reports  that  37  percent  of  co-sourcing 
arrangements  (in  which  clients  and  vendors  share  management  responsibilities  for  appli- 
cation  project  initiatives)  end  in  failure.  According  to  research  jointly  conducted  by  MIT’s 
Center  for  Information  Systems  Research  (CISR)  and  CIO,  to  be  successful  in  this  type  of 
arrangement,  each  party  must  play  to  its  strengths  (business  knowledge  on  the  client  side; 
technical  expertise  on  the  part  of  the  vendor),  set  up  the  relationship  so  those  capabilities  can 
mesh  well,  and  define  the  separate  contributions  of  each  as  clearly  as  possible  without 
detracting  from  the  collaborative  effort.  “The  lesson  I’ve  learned  with  any  partner  is  that  being 
very  formal  in  the  communication  process  and  setting  expectations  clearly  up  front  is  para¬ 
mount  to  success,”  says  Michael  Agnew,  managing  director  of  project  management  at  soft¬ 
ware  provider  Omgeo.  “All  throughout  the  project  lifecycle,  it  should  be  clear  who’s  handling 
what.  There  needs  to  be  clear  accountability.” 

There  are  certainly  frameworks  and  methodologies  that  universities  could  teach  to  help 
future  IT  professionals  be  more  successful  in  managing  requirements  and  expectations. 
But  what  would  be  truly  transformative  would  be  for  all  educators— from  kindergarten 
through  college  and  right  into  the  workplace— to  teach  people  how  to  communicate 
clearly,  to  define,  precisely  and  minimally,  what  they  need  (from  a  system  or  anything  else) 
or  expect  (from  a  partner  or  employee— or  a  child  or  spouse,  for  that  matter).  These  types 
of  fundamental  and  enduring  skills  would  go  a  long  way  to  improving  the  state  of 
business  overall. 


Abbie  Lundberg,  Editor  in  Chief 

lundberg(a)cio.com 
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YOU  CAN  TALK  ABOUT  IT. 

YOU  CAN  THINK  ABOUT  IT. 

YOU  CAN  HOPE  FOR  IT. 

BUT  IF  YOU  ACTUALLY 
WANT  TO  CUT  A  BOLT, 

USE  A  BOLT  CUTTER. 

We  want  to  help  you  grow  your  business. 
No  matter  what  you  have  to  cut  through  to 
do  it.  From  simplifying  complex  operations, 
to  modernizing  your  applications 
infrastructure  to  keep  up  with  demand. 
And  we  won't  simply  talk  about  it. 

We'll  make  it  happen.  Like  we  did  working 
with  Coors  Brewing  Company  when  their 
massive  growth  left  them  with  a  large, 
unwieldy,  and  expensive  IT  environment. 
As  a  team,  our  get-it-done  work  ethic 
streamlined  their  processes,  provided 
flexible  capacity,  and  reduced  their  cost 
of  applications  management  by  as 
much  as  40%.  Making  sure  that  robust 
growth  was  just  that,  robust. 

Because  if  you  want  to  cut  through  the 
difficulties  of  managing  growth,  think  of 
us  as  your  bolt  cutter.  It's  what  we  do. 

And  we  want  to  do  it  for  you.  www.eds.com 
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Sterling  Commerce  leads  the  world  in  helping 
businesses  collaborate  with  their  partners. 


Of  course,  we've  had  a  30  year  head  start. 


For  over  30  years,  Sterling  Commerce  has  led  the  industry  in  helping  successful  organizations  work  more 
effectively  with  suppliers,  subsidiaries  and  customers.  Now,  with  the  first  platform  to  meet  all  the  challenges 
of  real-world  multi-enterprise  collaboration,  Sterling  Commerce  can  help  you  achieve  end-to-end  visibility, 
and  real-time  control  over  shared  business  processes.  So  you  can  make  faster,  better-informed  decisions  to 
help  cut  costs  and  accelerate  time  to  market.  In  fact,  a  majority  of  the  world's  leading  companies  already 
depend  on  us.  That's  a  tough  act  to  follow.  Contact  us  today.  Or  visit  us  at  www.sterlingcommerce.com 

BUSINESS  APPLICATIONS  /  BUSINESS  INTEGRATION  /  BUSINESS  INTELLIGENCE  /  BUSINESS  PROCESS  MANAGEMENT  /  SOLUTION  DELIVERY 
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TOYOTA  MOTORSPORT  FOUND  THAT  BUSINESS  SERVICE  MANAGEMENT 
PUT  BOTH  THEIR  I.T.  SOLUTIONS  AND  THEIR  FORMULA  ONE  RACECARS  IN  THE 


And  it  all  began  with  the  leadership  of  BMC  Software.  From  real-time,  track-side 
data  feeds  to  accelerated  design  processes,  our  BSM  solutions  helped  Toyota 
Motorsport  align  IT  systems  with  business  and  racing  objectives. That's  the  power 
of  BSM.  It's  not  just  about  technology.  It's  about  how  technology  can  activate  your 
business.  By  slashing  costs,  ramping  up  revenue  and  mitigating  risk,  BMC  Software 
can  give  you  fast,  predictable  results.  Just  askToyota  Motorsport,  or  the  hundreds 
of  other  companies  who  are  reaping  the  benefits  of  BSM. Then,  take  the  first  step 
toward  activating  your  own  business. The  card  below  is  the  place  to  start. 


Dave  Jenkins 

Business  Service  Management 

Solution  Center 

Call  an  expert  or 

log  on  today  to  put  BSM 

to  work  for  you. 

<  bmcsoftware 

2101  CityWest  Blvd 

Houston,  Texas  77042 

800  596  2154 

www.bmc.com/starthere3 

ACTIVATE  BUSINESS 

WITH  THE  POWER  OF  I.T™ 


<  bmcsoftware 
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Put  an  Exit  Strategy  in 
the  Contract 

The  best  practices  mentioned  in  “Back- 
sourcing  Pain”  [Sept.  1]  may  help  mini¬ 
mize  the  backlash  that  will  accompany 
JPMorgan  Chase’s  transfer  of  work  back 
home.  My  question  is,  why  was  the  possi¬ 
bility  of  change  not  considered  when  the 
contract  was  set  up? 

In  the  fluid  environment  that  is  out¬ 
sourcing,  it  is  naive  to  assume  that  all  will 
go  well  every  time.  There  are  too  many 
players,  too  many  opportunities  to  do 
things  differently  on  both  ends,  and  it  is  too 
difficult  to  convince  the  staff  back  home  to 
accept  backsourcing  if  the  option  hasn’t 
been  on  the  table  from  the  beginning. 

The  disaster  in  New  Orleans,  caused  by 
an  uncontrollable  source,  the  weather,  is 
evidence  that  an  exit  strategy  must  be 
well-defined  and  can’t  consist  simply  of  a 
“can’t  happen  here”  mind-set. 

As  a  pilot,  I  planned  for  and  docu¬ 
mented  each  flight  and  thought  up  alter¬ 
natives  if  weather,  equipment  failure  or 
customer  illness  occurred.  For  hundreds 
of  flights,  nothing  triggered  the  alternate 
plan.  But  for  the  one  that  did— well, 
enough  said. 

Nobody  likes  to  be  the  person  bringing 
up  the  downside  of  a  new  approach  to 
business.  But  management  must  consider 
and  then  track  the  conditions  that  indicate 
it’s  time  for  change.  I  understand  why 
companies  do  not  like  to  create  exit  strat¬ 
egy  plans.  They  take  time,  effort  and 


money  to  prepare.  But  should  the  need 
arise  to  activate  the  plan,  the  savings  are 
well  worth  the  effort. 

NORMAN  H.  CARTER 

President  and  CEO 
Development  Systems  International 
dsicarte@sbcglobat.net 

Lessons  Never  Learned 

It  seems  that  CXOs  never  learn  the 
painful  lessons  of  outsourcing.  Case  in 
point:  JPMorgan  and  IBM,  EDS  and  GM, 
and  many  other  highly  publicized  out¬ 
sourcing  deals  gone  south. 

It  is  obvious  that  outsourcing  is  upper 
management’s  tool  to  make  financial  gains 
in  the  short  term.  However,  the  long-term 
financial  operational  gains  are  disastrous, 
employee  morale  is  destroyed,  trust  in 
management  is  lost,  and  an  entire  gamma 
of  negative  issues  result  from  the  out¬ 
sourcing  deal. 

Outsourcing  has  never  been  a  panacea 
for  mismanagement  of  the  IT  function, 
and  the  examples  of  such  deals  are  plenty 
around  us.  Instead  of  outsourcing,  compa¬ 
nies  need  to  evaluate  what  has  worked 
within  their  IT  organizations  and  apply 
the  same  principles  in  those  areas  where 
they  are  lacking  resources,  experience  or 
knowledge.  Implement  an  ongoing  pro¬ 
gram  for  process  improvement  and  con¬ 
stantly  evaluate  the  outcomes  of  strategic 
and  corporate  decisions. 

There  is  an  old  saying:  The  wishbone 
will  never  replace  the  backbone.  That 
seems  to  be  true  with  outsourcing.  Many 
high-level  managers  wish  that  outsourc¬ 
ing  would  replace  a  well-structured  and 
strategic  management  plan.  That  will 
never  happen. 

DANIEL  JARAM I LLO 

Sr.  Strategic  Consultant 
Northpoint  Strategic  Group 
pachacamac@earthlink.net 


A  Supplement  to  Good 
IT  Health 

One  reason  outsourcing  looks  so  attrac¬ 
tive  to  management  is  that  it’s  difficult  to 
quantify  lost  productivity  that  results 
from  outsourcing.  Suddenly,  it  takes 
longer  to  do  any  project  because  of  negoti¬ 
ation  or  translation  issues. 

Additionally,  management  is  typically 
too  isolated  in  the  ivory  tower  to  really 
understand  the  true  impact  of  outsourc¬ 
ing.  I  worked  for  a  company  years  ago  that 
outsourced  its  infrastructure  support  to  a 
large  vendor.  I  joined  the  company  as  a 
senior  consultant  and  had  to  wait  two  and 
a  half  weeks  to  get  a  network  log-in  ID.  I 
found  out  that  was  a  common  experience 
with  new  employees.  How  much  of  the 
company’s  savings  was  spent  paying  me  to 
sit  around  mostly  unable  to  work? 

If  outsourcing  costs  only  a  10  percent 
reduction  (a  conservative  estimate),  multi¬ 
ply  that  times  the  burdened  cost  of  your 
workforce.  Are  you  truly  saving  anything? 

I  have  a  motto  relative  to  outsourcing: 
“Nobody  cares  about  you  like  you.”  Despite 
all  the  promises  in  the  world  made  by 
salespeople,  it’s  not  their  business  that’s  at 
stake,  and  they’re  not  personally  vested  in 
its  outcome. 

My  experience  is  that  broad  outsourc¬ 
ing  often  destroys  your  ability  to  compete 
effectively.  Outsourcing  should  generally 
be  used  to  supplement,  not  to  replace. 

PETE  GEDZYK 

Vice  President,  IT 

Morgan  Stanley  Credit  Corp. 

petergedzyk@discoverfinanciat.com 


What  Do  You  Think? 


Send  your  thoughts  and  feedback  to 
letters@cio.com.  Letters  may  be  edited  for 
length  or  clarity.  For  a  link  to  the  articles 
mentioned,  go  to  www.cio.com/111505. 
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One 

Service 

Source 


For  multi-vendor ,  cross -platform  service  and  support ,  Fujitsu  is  the  one . 


From  mainframes  to  servers,  notebooks, 
and  Tablet  PCs,  no  other  company  provides 
the  full  spectrum  of  services  to  support 
business-critical  computing  like  Fujitsu.  In 
addition  to  our  own  products,  we  support 
a  variety  of  platforms  such  as  Sun™,  IBM®, 
and  HR  plus  OS/390®,  UNIX®,  Windows® 
and  Linux  environments.  We  also  provide 
services  that  improve  the  operation 
of  your  existing  IT  investments  and 
drive  down  costs.  So,  if  it’s 
critically  important  to  a  CIO’s  IT 
infrastructure,  we  service  it. 


With  more  than  30  years  of  direct 
experience  collaborating  with  our  customers 
and  aligning  their  IT  and  business  objectives, 
we've  learned  what  it  takes  to  maintain  a 
wide  variety  of  complex,  mission-critical  IT 
environments — and  deliver  a  higher  level  of 
service,  for  multi-vendor;  cross-platform 
environments.  We  provide  a  single  point  of 
contact  and  full  accountability  to 
reduce  the  complexity  and  cost  of 
support,  streamlining  operations  to 
offer  greater  business  value. 


To  learn  more  reasons  why  CIOs  entrust  their  IT  systems  to  Fujitsu,  visit 

us.fujitsu.com/computers/services  or  call  i  -800-83 1  -3 1 83. 


FUJITSU 

THE  POSSIBILITIES  ARE  INFINITE 


©2005  Fujitsu  Computer  Systems  Corporation.  All  rights  reserved.  Fujitsu,  the  Fujitsu  logo.  PRIMEPOWER.  PRIMEQUEST  and  LifeBook  are  register  ed  trademarks  or  trademarks  of  Fujitsu  Limited  in  the  United  States  and  other  countries.  PRIMERGY  is  a  registered  trademark  of 
Fujitsu  Siemens  Computers  GmbH  in  the  United  States  and  other  countries.  IBM  and  OS/390  are  registered  trademarks  of  IBM  Corporation  in  the  United  States,  other  countries,  or  both.  Sun  is  a  trademark  of  Sun  Microsystems,  Inc.  in  the  U.S.  and  other  countries. 

UNIX  is  a  registered  trademark  of  The  Open  Group  in  the  United  States  and  other  countries.  Windows  is  a  registered  trademark  of  Microsoft  Corporation.  All  other  trademarks  mentioned  herein  are  the  property  of  their  respective  owners. 
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Location,  Location,  Location... 


It's  fundamental  to  your  business.  Are  you  leveraging  your  location  data? 

Customer  addresses,  time  zones,  office  facilities,  service  areas,  political  boundaries,  critical  shipments, 
utility  networks,  field-workers,  real  estate,  mobile  assets,  and  warehouses — location  is  mission  critical 
in  every  organization. 

By  leveraging  the  location  information  that  is  inherent  in  your  information  systems,  you  can  manage 
your  organization  more  efficiently  and  cost-effectively,  helping  you  gain  a  competitive  advantage. 

ESRI  technology  is  a  standards-based,  scalable,  and  interoperable  platform  that  can  exploit  location 
data  in  your  business  processes.  With  ESRI  geographic  information  system  (GIS)  technology,  you  can 
make  location  information  and  analysis  available  to  the  people  in  your  organization — at  all  levels — 
who  need  it  most. 


Request  a  copy  of  the  IDC  white  paper  ESRI:  Extending  GIS  to  Enterprise  Applications 
at  www.esri.com/idc_paper  or  call  1-888-373-1192. 

You  have  all  the  location  information;  put  it  to  work  for  you. 


Copyright  O  2005  ESRI  All  rights  reserved  The  ESRI  globe  logo,  ESRI.  ArcMap.  www.esri.com,  and  Ardnfo  are  trademarks,  registf  rid  trademarks,  or  service  marks  of  ESRI  in  the  United  States,  the  European  Community,  or  certain  other  jurisdictions. 
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internet  Debate  during  a 
United  Nations  conference  this 
month  will  highlight  a  growing 
rift  between  the  United  States 
and  the  rest  of  the  world  over 
Internet  governance  that  could 
result  in  changes  to  how  the 
World  Wide  Web  can  be  used. 

The  purpose  of  the  World 
Summit  on  the  Information 
Society,  which  opens  in  Tunis 
Nov.  16,  is  to  generate  ideas  and 
strategies  for  extending  the 
benefits  of  the  Internet  and 
other  communications  technol¬ 
ogy  to  the  developing  world. 
But  these  goals  are  being  over¬ 
shadowed  by  an  effort  among 
some  of  the  world’s  most  influ¬ 
ential  governments  to  transfer 
management  of  the  Internet 
infrastructure  to  an  interna¬ 
tional  body.  The  United  States 


opposes  the  idea,  and  if  no 
agreement  can  be  reached 
there’s  a  possibility  that  coun¬ 
tries  could  end  up  creating  their 
own  versions  of  the  Internet 
with  their  own  rules  for  its 
use— a  move  that  would  disrupt 
international  business. 

Currently  the  Internet  is 
coordinated  by  the  Internet 
Corporation  for  Assigned  Names 
and  Numbers  (ICANN),  an  inde¬ 
pendent  organization  that  has 
international  representation  but 
is  based  in  the  United  States  and 
has  close  ties  to  the  U.S.  govern¬ 
ment.  ICANN  assigns  domain 
names,  manages  the  Internet’s 
root  servers  and  maps  IP 
addresses  to  the  domains. 

A  handful  of  countries, 
including  Brazil,  China  and 

Continued  on  Page  18 
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The  Business  of  Better  Software 


vendors  A  group  of  leading  software  vendors  has 
decided  that  part  of  the  answer  to  the  problem  of 
buggy  software  is  better  quality  control  on  its  end. 

Consequently,  Adobe  and  IBM,  among  others, 
have  formed  the  Software  Economics  Council  (SECO) 
to  improve  their  business  processes  and  make  their 
products  easier  to  deploy  and  maintain. 

One  problem  vendors  see  is  too  much  lag  time 
between  gathering  customer  requirements  and 
deploying  the  finished  product.  "We  hope  to  bridge 


the  gap  between  those  who  create  and  build  [soft¬ 
ware]  and  the  users,”  says  Donovan  Neale-May, 
executive  director  of  the  Business  Performance 
Management  (BPM)  Forum,  a  SECO  founder. 

SECO’s  first  project  concerns  the  mobile  workforce. 

A  BPM  Forum  survey  conducted  earlier  this  year  found 
that  at  26  percent  of  companies,  more  than  half  of 
employees  work  remotely.  SECO  wants  to  devise  new 
processes  for  deploying  mobile  applications  to  make 
this  task  easier  for  customers.  -Margaret  L ocher 
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agri  CWWVWWt  Cranberry  growers 
harvested  an  estimated  649  million  pounds 
of  the  traditional  Thanksgiving  fruit  this  year. 

But  making  a  living  from  the  berries  isn’t  easy. 
Prices  slumped  earlier  in  the  decade,  and  now 
energy  costs  are  eating  into  profits.  “Growers 
have  been  aggressive  in  looking  for  ways  to  save 
money,"  says  Jeff  LaFleur,  executive  director  of  the  Cape 
Cod  Cranberry  Growers  Association,  and  they’re  turning  to  IT  for  help. 

One  problem  growers  face  is  that  cranberries  are  vulnerable  to  frost.  Water¬ 
ing  protects  the  berries,  so  on  cold  nights,  growers  can  spend  hours  tending 
to  pumps.  To  relieve  this  burden,  a  few  Massachusetts  growers  have  been 
experimenting  with  a  system  called  Irrigation  Automation,  which  uses  wireless 
technology  and  the  Internetto  control  irrigation. 

Kevin  Connolly,  a  Massachusetts  GPS  technology  dealer,  got  the  idea  for 
the  system  during  a  sales  call  two  years  ago.  The  fleet  manager  for  grower  A.D. 
Makepeace  told  Connolly  that  he  wished  the  company  had  a  way  to  start  its 
pumps  remotely.  The  pumps  are  driven  by  automobile  engines,  so  Connolly 
rigged  the  pumps  with  GPS  devices  that  enabled  the  grower  to  operate  them 
with  a  cell  phone,  similar  to  the  way  cars  can  now  be  started  remotely. 

The  current  version  of  the  system  is  Web-based,  allowing  growers  to  program 
the  pumps  according  to  date,  time  and  temperature  recorded  by  remote  sen¬ 
sors.  Now  Connolly  is  working  on  enhancements  that  will  allow  users  to  adjust 
watering  schedules  according  to  rainfall  and  wind  conditions. 

George  Rogers,  VP  of  A.D.  Makepeace,  says  he  expects  the  system  will  cut 
his  irrigation-related  labor  by  80  percent.  And  by  using  water  more  effectively, 
Rogers  says,  growers  may  eventually  be  able  to  increase  their  crops.  Recently, 
the  U.S.  Department  of  Agriculture  gave  LaFleur’s  group  nearly  $187,000  to 
expand  deployment.  -Elana  Varon 


No  Bells  or  Whistles,  Please 

mobile  technology  Looks  like  it’s  back  to  the  basics  for  mobile  device 
manufacturers.  According  to  a  survey  by  market  research  company  TNS,  what  users 
want  most  isn’t  bigger  displays,  better  graphics  or  even  limitless  coverage  areas. 

They  want  better  batteries. 

Seventy-six  percent  of  users  in  the  United  States  responding  to  TNS’s  survey  rated  two 

days  of  battery  life  during  active  use  as 
the  most  important  feature  of  the  future 
converged  device— a  device  that  com¬ 
bines  a  mobile  telephone  and  PDA  with 
e-mail  and  other  business  applications. 
Next  on  the  list  is  a  high  resolution  cam¬ 
era  and  video  camera,  followed  by  full 
versions  of  Microsoft  Office  applications 
and  20GB  of  memory.  Rounding  out  the 
top  five:  a  global  positioning  system. 

-Thomas  Wailgum 


iviimiwramaimi 

KlYruil 

Longer  battery  life 

76% 

High-resolution  camera 

50% 

Microsoft  Office 

42% 

More  memory 

41% 

SOURCE  TNS 

World  vs.  U.S. 

Continued  from  Page  17 


South  Africa,  have  argued  that  de  facto 
control  of  ICANN  by  the  United  States  is 
incompatible  with  a  global  network.  They 
maintain,  for  example,  that  the  current 
governance  structure  does  not  accommo¬ 
date  domain  names  that  use  non-Western 
characters,  making  the  Web  less  accessible 
to  someone  who  doesn’t  know  a  Western 
language. 

The  internationalization  proposal 
seemed  to  be  headed  nowhere  until  Sep¬ 
tember,  when  the  European  Union  changed 
its  position  and  decided  to  support  it.  “We 
are  looking  for  a  new  model  which  allows 
Internet  governance  on  the  basis  of  coopera¬ 
tion  with  all  governments  and  stakeholders 
because  the  Internet  is  a  global  infrastruc¬ 
ture,”  says  Martin  Selmayr,  spokesman  for 
EU  Information  Society  and  Media  Com¬ 
missioner  Viviane  Reding. 

American  and  international  business 
interests  agree  that  it’s  important  to  extend 
the  reach  of  the  Internet,  but  that  these 
needs  don’t  warrant  a  new  bureaucracy. 
“Bureaucracy  would  not  be  consistent  with 
the  dynamic  nature  of  the  Internet,”  says 
Ayesha  Hassan,  senior  policy  manager  and 
executive  in  charge  of  information  and  com¬ 
munication  technologies  for  the  Interna¬ 
tional  Chamber  of  Commerce. 

The  United  States  would  have  to  agree  to 
any  change  in  how  the  Internet  is  governed, 
and  that  seems  unlikely.  That  leaves  advo¬ 
cates  of  internationalization  with  little  re¬ 
course  but  the  threat  to  build  new  regional 
or  national  Internets  that  would  be  incom¬ 
patible  with  the  current  one.  If  this  were  to 
occur,  the  Internet  would  no  longer  be  an 
open  global  network. 

Negotiators  planned  to  meet  once  more 
immediately  before  the  summit.  But  the 
two  sides  are  so  deeply  entrenched  in  their 
positions  that  at  press  time  an  agreement 
seemed  unlikely,  according  to  Heather 
Shaw,  director  for  e-commerce  and  tele¬ 
communications  policy  at  the  United  States 
Council  for  International  Business. 

-Ben  Worthen, 
with  additional  reporting  by  John  Blau 
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CUSTOMIZED  HP  SOLUTIONS 
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INTEGRATE 

INSTALL 

MAINTAIN 


HP  ProLiant  DL580  featuring  an 
Intel®  Xeon™  Processor 


1GB  MEMORY  KIT  FREE  hardware  integration  on 
3430^5 select  ProLiants  when  mentioning 

source  code  AD027 

2GB  MEMORY  KIT 

66%  DISCOUNT 

343056-B21 


Mght 

IT  For  The  Way  You  Work™ 


Call  800. INSIGHT  or  go  to 
www.insight.com/freememory 
to  learn  more. 

HURRY,  OFFER  EXPIRES  12.27.05 


Source  Code:  AD027 

Insight  and  the  Insight  logo  are  registered  trademarks  ot  Insight  Direct  USA,  Inc,  IT  For  The  Way  You  Work  is  a  trademark  of  Insight  Direct  USA,  Inc, 

All  other  trademarks,  registered  trademarks,  photos,  logos  and  illustrations  are  property  of  their  respective  owners.  ©2005  Insight  Direct  USA,  Inc.  All  rights  reserved. 

Intel,  Intel  Inside,  Intel  Inside  logo,  Intel  Centrino,  the  Intel  Centrino  logo,  and  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Wireless  connectivity 
and  some  features  may  require  you  to  purchase  additional  software,  services  or  external  hardware.  Availability  of  public  wireless  LAN  access  points  limited.  System  performance,  battery  life,  wireless  performance  and  functionality 
will  vary  depending  on  your  specific  hardware  and  software  configurations. 
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MEDICAL 
RECORDS 

GONE 
WITH 
THE  WIND 

health  care  Many  Hurricane 
Katrina  evacuees  lost  their  paper  medical 
records  in  the  storm.  Consequently,  they 
have  no  documentation  of  their  medica¬ 
tion  histories  and  neither  do  their  doctors 
and  pharmacies.  To  help  the  hurricane’s 
victims  get  appropriate  medical  treat¬ 
ment,  the  federal  government,  with  help 
from  other  public  and  private  groups,  has 
established  a  website  where  health-care 
workers  can  retrieve  prescription  histories 
and  related  information  on  evacuees. 

The  site,  www.katrinahealth.org,  was 
assembled  by  networking  existing  data¬ 
bases  from  retail  pharmacies  and  govern¬ 
ment  health  programs  such  as  Medicaid. 
David  Brailer,  National  Coordinator  for 
Health  Information  Technology  who  is  in 
charge  of  federal  efforts  to  promote  the 
adoption  of  electronic  medical  records 
systems,  says  the  experience  shows  how 
quickly  health-care  information  can  be 
gathered  electronically  on  a  national  level. 

To  protect  patient  privacy,  the  Ameri¬ 
can  Medical  Association,  the  National 
Community  Pharmacists  Association  and 
health-care  IT  company  SureScripts  first 
validates  the  identities  of  those  trying  to 
access  the  site.  Caregivers  can  then  log  on 
to  the  site  with  a  user  name  and  password 
and  enter  a  patient’s  name,  date  of  birth, 
pre-Katrina  address  and  gender  to  access 
his  medication  history. 

Emily  Stewart,  health  policy  analyst  for 
the  Health  Privacy  Project,  agrees  that  it’s 
crucial  to  get  evacuees  the  care  they  need. 
But  she  also  thinks  they  should  be  allowed 
to  opt  out  of  the  network  if  they  want,  and 
that  the  system  should  be  dismantled 
once  the  need  for  it  passes. 

-Susannah  Patton 
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Help  for  Emergency 
Responders 

Digital  TV  push  would  hasten  better  communications 


Hurricane  Katrina  uncovered  many 
shortcomings  in  the  government’s 
ability  to  react  to  a  disaster,  but  one  of 
the  more  serious  deficiencies  was  the 
inability  for  emergency  responders  to 
communicate. 


FCC  Chairman  KEVIN  MARTIN 

The  hurricane  knocked  out  more 
than  3  million  customer  telephone 
lines,  38  emergency  call  centers  and 
about  1,600  wireless  telephone  trans¬ 
mission  sites  when  it  hit  the  Gulf 
Coast  Aug.  29,  making  communica¬ 
tion  among  emergency  responders, 
as  well  as  residents,  impossible. 
Interactive  radios  could  have  solved 
the  problem. 

For  years,  emergency  responders 
have  argued  the  case  for  more  radio 
spectrum  so  they  don’t  have  to  rely  on 
traditional  means  of  communications. 
But  Congress  has  yet  to  pass  legisla¬ 
tion  to  make  room  for  them  on  the 
spectrum,  which  is  already  crowded 
by  cell  phones,  broadcasters  and  the 
military.  Now  is  the  time  to  act,  says 
Kevin  Martin,  chairman  of  the  Fed¬ 


eral  Communications  Commission. 

Katrina  has  boosted  the  prospects 
of  proposed  legislation  that  would 
free  up  some  frequencies  by  giving 
television  stations  a  hard  deadline  for 
transitioning  from  analog  to  digital 
broadcasts. 

Currently,  broadcasters  are  required 
to  go  digital  only  in  those  markets 
where  85  percent  of  homes  can  receive 
digital  signals.  With  few,  if  any,  mar¬ 
kets  meeting  that  threshold  now,  the 
transition  could  take  years  as  con¬ 
sumers  try  to  Find  the  money  to  buy 
either  digital  TVs  or  converter  boxes 
for  their  existing  sets. 

Then  there  is  the  opposition  from 
the  cable  TV  lobby.  Although  cable 
TV  subscribers  would  not  be  affected 
by  a  digital  transition— cable  con¬ 
verts  the  digital  signal  for  analog 
sets— cable  operators  are  being  asked 
by  TV  broadcasters  to  take  on  multi¬ 
ple  digital  channels.  The  cable  opera¬ 
tors  argue  they  have  limited  capacity 
to  carry  the  extra  channels. 

But  the  scenes  of  death  and  suffer¬ 
ing  in  New  Orleans  may  create  enough 
political  will  to  overcome  inaction 
and  opposition.  It  is  almost  a  given 
now  that  legislation  will  be  passed  to 
force  broadcasters  to  go  fully  digital. 
(Committees  in  the  House  and  Senate 
were  taking  action  on  it  at  press 
time.)  “The  only  thing  left  is  for  peo¬ 
ple  to  get  out  of  the  spectrum,”  says 
Mary  Greczyn,  spokeswoman  for 
the  High  Tech  DTV  Coalition,  a  trade 
group  representing  companies  such 
as  IBM,  Intel  and  Microsoft  that  favor 
faster  migration  to  DTV. 

-Grant  Gross 
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NEC  IP. 


A  multidimensional  solution  for  a  changing  world. 

To  maximize  the  benefits  of  IP  communications,  your  business  needs  more  than  technology. 
It  needs  a  partner  with  the  experience  to  deliver  a  multi-dimensional  solution  based  on  your 
unique  requirements.  At  NEC,  we  combine  the  resources  of  a  $45  billion  global  technology 
leader  with  over  a  century  of  communications  expertise.  The  result  is  a  comprehensive  open- 
platform  IP  solution  for  your  business  that  enables  a  swift  and  rewarding  transition  today,  and 
unlimited  growth  potential  tomorrow.  Advancing  businesses  communications:  just  another 
way  NEC  empowers  people  through  innovation.  1-800-338-9549 

—  www.necus.com/necip 
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A  Source  for 
Sourcing 


Aguide  to  success,  whether  you  outsource 
a  little,  a  lot  or  not  at  all 


Multisourcing:  Moving  Beyond  Outsourcing 
to  Achieve  Growth  and  Agility 

By  Linda  Cohen  and  Allie  Young 
Harvard  Business  School  Press,  2005,  $35 


book  review  In  one 

sense,  write  Linda  Cohen  and 
Allie  Young  of  Gartner,  IT  out¬ 
sourcing  has  been  a  rousing 
success.  Economists  argue  that 
it’s  a  major  factor  in  corporate 
America’s  ability  to  remain 
profitable.  Companies  that 
announce  outsourcing  plans 
routinely  see  their  share  prices 
rise.  CEOs  of  such  companies 
get  paid  more. 

And  yet,  half  of  all  outsourc¬ 
ing  contracts  signed  during  the 
past  three  years  will  fail  to  meet 
expectations,  say  the  authors 
in  their  book  Multisourcing: 


■ 

■ 


Moving  Beyond  Out¬ 
sourcing  to  Achieve 
Growth  and  Agility. 

Those  failures  can 
be  traced  to  three  problems: 
miscommunication,  gover¬ 
nance  failure  and  poor  coordi¬ 
nation.  The  book  provides  a 
step-by-step  process  to  prevent 
these  problems,  advice  that 
includes  creating  a  well-aligned 
sourcing  strategy,  evaluating 
and  selecting  service  providers, 
and  methods  for  long-term 
management  and  governance. 
Multisourcing  here  refers  not  to 
a  specific  sourcing  model  but  to . 


UNDA COHEN 
ALLIE  YOUNG 

6ABTNEMHC 


wireless  A  new  service  from  General  Motors’  OnStar  subsid¬ 
iary  that  performs  remote  diagnostics  on  vehicles  and  sends  the 
owners  reports  once  a  month  could  eventually  make  it  easier  for  car 
companies  to  use  this  data  to  prevent  manufacturing  defects. 

The  diagnostic  tests  are  enabled  through  wireless  communication 
with  a  car’s  computer  system.  When  the  car  is  in  operation,  data  about 
the  performance  of  the  vehicle's  critical  parts  and  processes,  including 
air  bags,  antilock  brakes  and  the  engine,  is  transmitted  from  the  car’s 
main  bus  to  an  onboard  computer  that  sends  the  information  to 
OnStar.  OnStar  then  processes  the  information  and  sends  an  e-mail 
to  the  vehicle  owner,  who  can  use  it  to  plan  maintenance  and  repairs. 

The  service  comes  with  an  OnStar  subscription  and  is  available  on 
most  2004  or  newer  GM  cars.  For  model  year  2006,  more  than  50 
GM  models  will  have  OnStar  as  an  option  or  as  standard  equipment. 

Currently,  the  service  is  meant  primarily  to  attract  and  retain 
OnStar  customers,  according  to  company  executives.  Down  the 
road,  auto  industry  analysts  say,  the  technology  could  provide  a  new 
way  for  GM— and  the  auto  industry  generally— to  gather  data  about 
how  vehicles  perform  and  build  better  cars.  “Once  we  do  get  the 
data  back  in  office,  there  is  an  opportunity  for  GM  to  understand 
what’s  going  on  in  the  field,"  says  Steve  Samolinski,  OnStar’s 
service  line  manager. 
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a  manner  of 
setting  up  and 
managing  the 
right  sourcing 
model  for  one’s  company. 

Multisourcing  is  chock-full  of 
helpful  charts  and  lists,  among 
them  sample  governance  charts 
from  DuPont  and  IndyMac 
Bancorp  and  a  model  outsourc¬ 
ing  management  dashboard. 
The  “Eight  Myths  of  Outsourc¬ 
ing,”  detailed  in  the  first  few 
pages,  is  a  great  weapon  for  any 
CIO  being  pressured  into  out¬ 
sourcing;  photocopy  this  page 
and  keep  it  in  your  back  pocket. 

 Cohen,  and  Young. overstate 


the  case  when  they  conclude 
that  multisourcing  is  a  busi¬ 
ness  revolution  every  bit  as 
dramatic  as  the  industrial  revo¬ 
lution.  And  the  book  would 
benefit  from  a  more  in-depth 
look  at  some  of  the  companies 
highlighted.  Nonetheless,  it’s  a 
practical  guide  to  creating  a 
foundation  for  sourcing  suc¬ 
cess.  And  given  the  failure 
rates  cited  in  this  book,  CIOs 
can  use  all  the  help  they  can 
get.  (Read  “Offshore  Allies,” 
Page  74,  to  learn  how  to  suc¬ 
ceed  with  one  sourcing  model, 
co-sourcing.) 

-Stephanie  Overby 


Until  now,  adoption  of  prognostics— the  ability  to  identify 
impending  system  failures  by  analyzing  vehicle  data— has  been 
slow,  according  to  Joe  Barkai,  program  director  with  Manufacturing 
Insights  (owned  by  IDC,  a  sister  company  to  CIO’s  publisher).  Car 
companies  have  had  to  rely  instead  on  dealers  to  pass  on  data  they 
collect  when  they  do  repairs. 

Although  not  very  expensive  to  implement  in  comparison  to 
OnStar,  remote  diagnostics  was  not  a  priority  for  auto  manufactur¬ 
ers  when  the  economy  was  poor,  says  Mark  Bunger,  an  analyst  at 
Forrester  Research. 

Now,  that’s  changing.  -C.G.  Lynch 
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Open  Source  Lights  Up 

BY  GALEN  GRUMAN 

OPEN  SOURCE  |  The  odds  are  good  that  the  LAMP  stack  is  running  somewhere  inside 
your  company.  The  acronym  refers  to  the  foundational  foursome  of  the  open-source  move¬ 
ment:  the  Linux  operating  system,  Apache  Web  server,  MySQL  database  and,  collectively,  the 
Perl,  PHP  and  Python  programming  languages.  Development  tools  such  as  Eclipse  and 
application  servers  such  as  JBoss  have  also  gained  popularity— and  trust— especially  now 
that  major  vendors  such  as  IBM,  BEA  Systems  and  Borland  have  adopted  or  supported 
them  commercially.  But  what  about  the  next  step  up  the  software  ladder?  Is  open  source  ready 
for  ERP,  business  intelligence  or  CRM? 

Ready  or  not,  it’s  happening;  the  first  industrial-grade  applications  in  these  areas  are  now 
emerging.  And  CIOs  will  soon  need  to  decide  how  to  approach  these  fresh  options  in  their 
enterprise  software  catalog.  As  with  the  adoption  of  the  LAMP  players,  these  new  open- 
source  enterprise  applications  likely  will  find  their  way  into  the  enterprise  at  a  departmen¬ 
tal  or  small-project  level.  As  a  result,  “we  don’t  see  [these  applications]  on  CIOs’  agenda  at 
all,”  notes  Michael  Goulde,  an  open-source  senior  analyst  with  Forrester  Research.  But,  he 
warns,  “CIOs  should  sync  up  with  their  development  teams  to  see  [where  such  applica¬ 
tions]  might  have  payback  to  the  organization.” 
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essential  technology 


However,  CIOs  should  tread  carefully  on 
such  open-source  applications,  advises 
Mark  Lobel,  a  partner  at  Pricewaterhouse- 
Coopers  who  focuses  on  information  secu¬ 
rity,  including  security  for  financial 
applications.  One  key  concern  is  that  appli¬ 
cations  tend  to  reflect  and  embed  business 
processes  and  logic,  which  often  are  key 
strategic  assets  you  don’t  want  to  share  with 
others— and  open-source  licenses  can 
require  such  sharing  if  companies  aren’t 

Open  source 
depends  upon 
vo  unteer 
developers  for 
success,  but 
the  more  niche 
a  product,  the 
smaller  the 
potential  pool 
of  interested 
contributors. 

careful.  Another  issue  is  the  long-term  via¬ 
bility  of  open-source  applications  for  spe¬ 
cific  functions.  Open  source  depends  upon 
volunteer  developers  for  success,  but  the 
more  niche  a  product,  the  smaller  the  poten¬ 
tial  pool  of  interested  contributors.  As  such, 
grassroots  support  for  specific  apps  such  as 
ERP  or  CRM  tools  may  look  more  like 
brigades  than  the  armies  now  supporting 
broad  open-source  infrastructure  such  as 
Linux,  Apache  and  MySQL. 

Still,  properly  managed  open-source 
applications  can  save  enterprises  money 
and  time— as  well  as  reduce  dependency  on 
specific  vendors. 

Finding  a  Fit 

Financial-services  giant  Fidelity  Invest¬ 
ments  has  used  open-source  technology  for 


But  Is  It  Really  Free? 

It  pays  to  read  the  fine  print  on  open-source  licenses 


Open-source  applications  typically  provide 
free  use  of  the  software  and  access  to  its 
source  code.  But  if  you  plan  to  distribute  the 
modified  application  outside  your  company, 
open-source  licenses  usually  require  you  to 
return  any  enhancements  to  the  user  commu¬ 
nity,  says  Michael  Goulde,  a  senior  analyst  at 
Forrester  Research.  But  as  the  open-source 
model  moves  up  the  stack  to  applications,  the 
term  open  source  is  morphing  to  accommo¬ 
date  corporate  needs. 

More  restrictive  licenses  are  emerging 
with  the  new  class  of  open-source  CRM 
applications.  For  example,  a  version  of 
SugarCRM  is  available  under  a  variation  on 
the  standard  General  Public  License  (GPL). 
But  users  of  SugarCRM  Pro,  available  under 
a  separate  license  from  SugarCRM,  get  a 
different  deal.  The  SugarCRM  license  works 
much  like  a  proprietary  software  vendor’s 
license,  with  the  exception  that  Sugar  pro¬ 
vides  the  source  code  and  lets  companies 
modify  it  for  internal  use  only.  And  that 
modified  code  belongs  to  the  user  company, 
not  to  SugarCRM. 

This  model  is  becoming  common  as  more 
companies  build  businesses  around  open- 
source  software  for  which  they  offer  both  a 
"pro”  version  and  for-pay  support  services, 
says  Goulde. 

"Their  free  version  is  really  a  marketing 
tool,"  says  Bob  Gatewood,  CTO  of  Athena- 
health,  a  service  provider  to  doctors  and 
a  SugarCRM  Pro  customer.  That  suits  Gate- 
wood  just  fine,  since  the  SugarCRM  license 
still  lets  Athenahealth  customize  its  CRM 
code  easily,  without  requiring  expensive  pro- 

about  four  years  to  reduce  costs  and  depend¬ 
ence  on  vendors.  “We  started  with  Linux  like 
everyone  else  did,  but  our  intent  all  along 
was  to  see  how  far  up  the  stack  we  could  go,” 
says  Charlie  Brenner,  senior  vice  president 
of  the  Fidelity  Center  for  Applied  Technol¬ 
ogy,  Fidelity’s  technology  incubation  group. 


fessional  services  that,  for  example,  a  Siebel 
CRM  deployment  might  require. 

Another  example  is  the  Veteran  Adminis¬ 
tration’s  Vista  electronic  records  software, 
which  is  available  free  as  public-domain 
software.  Although  the  VA  has  integrated 
enhancements  made  by  some  users  in  later 
releases,  it  still  manages  the  core  code  devel¬ 
opment.  Private  companies  have  created 
proprietary  extensions  and  add-ons  that  they 
sell  to  Vista  users.  They’ve  also  customized 
the  Vista  code  for  their  clients,  but  none  of 
these  efforts  belong  to  the  VA  or  the  Vista 
community  as  they  would  in  traditional 
open-source  efforts  such  as  Linux,  Apache 
or  BSD  Unix. 

The  Avalanche  Corporate  Technology 
Cooperative  is  taking  a  private  open-source 
approach:  Enterprises  and  consultants  can 
join,  which  provides  them  access  to  software 
developed  by  the  Avalanche  members. 

(The  cooperative  is  just  starting  its  first 
efforts,  including  a  Sarbanes-Oxley  compli¬ 
ance  project.)  As  with  open  source,  the 
members  all  contribute  technology  to  various 
Avalanche  efforts,  and  Avalanche  members 
provide  mutual  support.  Unlike  open  source, 
however,  only  Avalanche  members  have 
access  to  this  technology,  which  its  founders 
believe  will  ensure  development  efforts  stay 
focused  on  members’  business  priorities. 

For  CIOs,  this  means  that  some  open- 
source  tools  might  in  fact  be  just  partially 
open  source,  requiring  a  careful  understand¬ 
ing  of  the  license  and  the  program’s  contents. 
“You  really  need  to  read  the  license,"  advises 
Athenahealth's  Gatewood.  -G.G. 

After  Linux,  Fidelity  adopted  Apache  and 
Perl,  and  then  the  Struts  Web  application 
framework  and  the  Eclipse  Foundation’s 
development  environment.  Fidelity  is  now 
looking  at  open-source  database  manage¬ 
ment  systems  and  assessing  what  applica¬ 
tions  might  make  sense.  The  advantages  of 
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We’re  inspired  by  the  human  side  of  data.  Bank  data  is  more  than  dollars  and  cents.  It’s  an  allowance 
savings  bonds  from  Grandma,  maybe  even  college  tuition.  That’s  why  seven  of  the  world’s  ten  largest 
banks  use  Hitachi  storage  technologies  to  protect  their  data,  and  her  future.  From  the  smallest 
Microdrive®  to  the  largest  SAN  solution,  Data  Storage  from  Hitachi. 
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Inspire  the  Next: 


essential  technology 


open  source  include  widespread  compo¬ 
nent  reuse,  better  access  to  underlying  code 
to  customize  interfaces  across  applications, 
and  less  complex  systems  to  manage. 
“We’re  heavy  users  of  proprietary  [soft¬ 
ware],  and  that  won’t  change,  but  there  are 
times  you  need  a  motor  scooter,  not  a 
truck,”  Brenner  says. 

Others  are  less  interested  in  picking  the 
proper  vehicle  than  they  are  in  creating  a 
uniform,  inexpensive  core  on  which  to  hang 
their  IT  business.  At  Midland  Memorial 
Hospital  in  Texas,  “we’re  trying  to  get  a 
complete  open-source  or  public-domain 
stack  rather  than  be  proprietary,”  says  IS 
Director  David  Whiles.  His  organization 
already  uses  the  LAMP  stack  and  is  now 
deploying  a  public-domain  electronic 
records  system,  the  Veteran  Administra¬ 
tion’s  Vista,  for  less  than  half  of  what  a  pro¬ 
prietary  system  would  cost  (even  with  the 
cost  of  hiring  a  consultancy  to  add  features 
such  as  billing).  Medical  industry  service 
provider  Athenahealth,  meanwhile,  is  using 
SugarCRM— an  open-source  CRM  package. 
CTO  Bob  Gatewood  says  he  had  several  rea¬ 
sons  to  switch  from  his  current  CRM 
provider,  Salesforce.com.  But  he  notes  that 
making  the  change  will  save  about  $1  mil¬ 
lion  over  three  years  in  per-user  licensing 
fees,  even  after  the  cost  of  development  and 
integration  is  subtracted.  He  expects  to  com¬ 
plete  the  migration  in  early  2006. 


need  [with  open  source],”  says  Bob  Hecht, 
vice  president  of  content  strategy  at  spe¬ 
cialized  data  provider  Informa,  which  is 
investigating  the  Alfresco  open-source 
knowledge-management  application  as  an 
alternative  to  commercial  enterprise  con¬ 
tent-management  tools. 

Informa  is  exploring  Alfresco  because  a 
license  for  a  commercial  enterprise  content 
management  application  for  a  company  of 
its  size  would  cost  millions  of  dollars  and 
would  impose  a  single  content-manage¬ 
ment  model  on  the  company’s  array  of  pub¬ 
lishing,  training  and  events  businesses. 
“We  just  won’t  do  that,”  Hecht  says.  (It  also 
helps  that  Alfresco  was  developed  in  part 
by  former  Documentum  technologists,  giv¬ 
ing  Hecht  more  confidence  that  the  appli¬ 
cation  will  be  enterprise-class.) 

Starting  Small 

Open-source  applications  can  make  espe¬ 
cially  good  sense  for  nonstrategic,  fairly 
generic  applications  like  reporting  or  sales- 
force  automation.  Departments  that  have 
unique  technology  needs  and  smaller  com¬ 
panies  with  limited  budgets  are  also  more 
likely  to  consider  open-source  applications, 
says  Forrester’s  Goulde.  “Larger  companies 
are  not  about  to  rip  out  SAR  Plus  the  func¬ 
tionality  and  the  integration  are  both  more 
complex”  for  a  large  company  than  open- 
source  apps  currently  can  handle,  he  adds. 


;  : 

Open  source  makes  good  sense  for 
nonstrategic,  fairly  generic  applications 
like  reporting  or  sales-force  automation. 


Easy  Mixing 

Beyond  spending  less,  Gatewood  plans  to 
more  closely  integrate  the  SugarCRM 
code— which  he  can  access  directly— into 
his  call-center  and  other  support  applica¬ 
tions,  something  not  possible  with  propri¬ 
etary  software  where  code  is  tightly  held 
by  the  vendors.  Other  IT  execs  seek  the 
same  benefit.  “We  can  take  the  pieces  we 


For  example,  open-source  tools  “are  not 
going  to  take  the  business-intelligence 
market  because  they  are  not  yet  competi¬ 
tive  with  commercial  software,”  says  Eric 
Rogge,  research  director  for  BI  and  per¬ 
formance  management  at  Ventana.  For 
example,  open-source  BI  applications  don’t 
yet  offer  a  comprehensive  platform  with 
reporting,  ad-hoc  analysis,  online  analyti- 


61% 

of  developers 
in  Europe, 
the  Middle  East 
and  Africa 
have  used  open- 
source  software 
for  developmen  , 
but  only  a  third 
have  contributed 
to  the  open-source 
community. 

SOURCE:  Evans  Data,  2005 


cal  processing  (OLAP)  connectivity,  alert¬ 
ing,  dashboards  and  workflow.  Nor  do  they 
offer  aids  for  developing  user-interface 
controls,  ad-hoc  analysis  against  relational 
data  sources  or  scorecard  functionality 
with  strategy  maps,  metrics  management 
and  collaboration  features,  he  says.  But 
Rogge  does  expect  open-source  applica¬ 
tions  to  eventually  make  inroads  in  the  BI 
reporting  tool  segment,  since  there  are  a 
variety  of  uses  for  basic  reporting  tools  in 
an  organization  where  a  costly,  complex  BI 
tool  isn’t  needed. 

Furthermore,  increased  adoption  of 
open-source  databases  should  encourage 
the  development  of  open-source  reporting 
tools  that  take  advantage  of  them,  says  Don 
DePalma,  an  analyst  at  the  consultancy 
Common  Sense  Advisory.  “Most  database 
activity  is  about  reporting,  analyzing  and 
crunching  the  data,  so  [open-source 
reporting  tools]  would  seem  a  natural 
development.  Companies,  universities  or 
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essential  technology 


governments  using  open-source  operating 
systems  and  databases  would  be  a  great 
audience  for  such  software,”  he  says. 
DePalma  doesn’t  expect  a  popular  reporting 
tool  like  BusinessObjects’  Crystal  Reports, 
for  example,  to  support  open-source  data¬ 
bases  because  of  the  vendor’s  relationships 
with  proprietary  database  developers  such 
as  IBM,  Microsoft  and  Oracle.  That  pro¬ 
vides  an  opportunity  for  the  open-source 
community  to  create  a  Crystal  Reports-like 
reporting  tool,  he  says. 

Open-source  applications  also  make 
sense  when  there  are  regulations  or  other 
requirements  common  to  an  industry, 
where  having  a  mutually  supported  tool 
would  benefit  everyone  and  not  put  any¬ 
one  in  the  position  of  losing  a  competitive 
advantage,  Goulde  says.  Analysts  most 
often  cite  the  health-care  and  financial- 
services  industries  as  candidates  for  these 


unfamiliar  with  the  competitive  value  of 
various  components  might  accidentally 
embed  strategic  business  logic  or  processes 
into  code  that  is  then  provided  back  to  the 
open-source  community,  neutralizing  a 
competitive  advantage. 

But  CIOs  should  be  able  to  manage  their 
strategic  assets  while  still  choosing  open- 
source  applications,  says  Eric  Link,  Diabe- 
tech’s  CTO.  Business  logic,  for  example, 
should  not  reside  in  modified  open-source 
code  but  in  your  internal  rules  base  or  in- 
house  applications  that  call  the  open- 
source  tools,  as  is  common  in  commercial 
ERP  systems,  he  says.  “It  does  require  care¬ 
ful  thought  to  know  what  is  strategic,”  but 
any  IT  development  effort  should  make 
such  an  assessment,  whether  it  involves 
commercial,  homegrown  or  open-source 
code,  Link  says. 

CIOs  should  also  be  able  to  distinguish 


I  Staff  developers  unfamiliar  with 
the  competitive  value  of  various 
components  might  accidentally 
embed  strategicbusiness  logic  or 
processes  into  code  that  is  then 
provided  back  to  the  open-source 
community. 


kinds  of  tools,  though  liability  concerns 
surrounding  legal  requirements  make  it 
critical  that  potential  users  understand  the 
possible  risks,  notes  Fidelity’s  Brenner.  It  is 
also  possible  to  imagine  a  large  player  in  a 
specific  industry  making  an  open-source 
application  viable,  perhaps  for  some  sup¬ 
ply-chain  management  functions,  much  as 
Wal-Mart  has  done  for  RFID,  notes  For¬ 
rester  Research  ERP  Analyst  Ray  Wang. 

Gauging  Open  Source’s  Risks 

But  using  open-source  applications  does 
carry  risks.  One  is  that  staff  developers 


between  applications  and  platforms  and 
the  issues  that  surround  each,  Brenner 
adds.  Reporting  tools  and  CRM  are  two 
examples  of  platforms  that  are  often  mar¬ 
keted  as  applications,  he  notes.  The  differ¬ 
ence  is  that  platforms  typically  don’t 
encapsulate  specific  business  processes  or 
logic,  making  them  well-suited  for  open- 
source  efforts— and  less  risky  for  the  com¬ 
panies  that  use  them,  as  companies  using 
such  tools  will  be  less  tempted  to  insert 
their  own  business  logic  into  the  products 
and  unwittingly  release  it  to  the  world.  A 
reporting  tool,  for  instance,  might  act  on  a 


company’s  data,  but  it  would  never  incor¬ 
porate  that  data  into  its  own  code— and 
thus  a  company  would  never  be  required 
by  the  license  to  release  the  data  as  open 
source.  (Another  alternative  is  to  go  pseudo 
open  source  as  in  the  Avalanche  Corporate 
Technology  Cooperative,  which  openly 
shares  code  on  a  variety  of  projects,  but 
only  among  subscribed  members.  (See  “But 
Is  It  Really  Free?”  Page  26.) 

Beyond  intellectual  property  concerns, 
another  significant  risk  is  an  application’s 
long-term  viability.  Open  source  has 
worked  well  for  widely  distributed  tools 
such  as  those  in  the  LAMP  stack  that  are 
typically  run  as-is  and  don’t  need  to  be  cus¬ 
tomized  at  each  location.  But  for  niche  appli¬ 
cations,  the  community  of  developers  is 
necessarily  smaller  than  for  a  piece  of  infra¬ 
structure,  reducing  the  resources  that  con¬ 
tribute  to  the  application’s  development, 
maintenance  and  support.  This  could  make 
it  difficult  for  many  projects  to  muster  suf¬ 
ficient  developer  support  to  stay  viable.  The 
diversity  of  applications  will  be  a  difficult 
issue  for  the  open-source  community,  says 
PricewaterhouseCoopers’  Lobel. 

This  limitation  is  exacerbated  if  compa¬ 
nies  don’t  share  their  developments  with 
the  community  for  fear  of  releasing  com¬ 
petitive  business  logic.  “I  can’t  see  it  going 
very  long  if  companies  aren’t  contributing 
back.  An  open  system  works  only  when  it’s 
open,”  Lobel  says.  Diabetech’s  Link,  how¬ 
ever,  believes  that  argument  is  overstated, 
since  companies  are  typically  happy  to 
share  infrastructure  code  with  others,  thus 
moving  the  application  forward  even  while 
keeping  their  business-specific  code  to 
themselves. 

Despite  these  issues,  even  cautious 
observers  concede  that  open-source  appli¬ 
cations  can  make  sense  beyond  the  LAMP 
stack:  And  sensible  CIOs  should  start  pay¬ 
ing  attention.  E3E1 


Galen  Gruman  ( ggruman@zangogroup.com )  is  a 
freelance  writer  based  in  San  Francisco.  Send 
feedback  to  Christopher  Lindquist  at  clindquist@ 
cio.com.  For  a  list  of  open-source  development 
projects,  visit  www.cio.com/111505. 


30 


NOVEMBER  15,  2005  |  www.cio.com 


Citrix  NetScaler 

makes  any  application 

run  up  to 

15  times  faster 

for  anyone,  anywhere. 


©  2005  Citrix  Systems,  Inc.  All  rights  reserved.  Citrix  and  NetScaler  are  trademarks  of  Citrix  Systems, 
Inc.,  and/or  one  or  more  of  its  subsidiaries,  and  may  be  registered  in  the  U.S.  and  in  other  countries. 


CITRIX 


Every  day,  leading  Global  2000  enterprises, 
including  the  five  largest  e-businesses  in 
the  world,  rely  on  Citrix®  NetScaler"5 solutions 
to  dramatically  accelerate  application 
performance.  All  without  adding  servers, 
bandwidth,  or  consultants.  Perhaps  that’s 
why  Citrix  NetScaler  application  delivery 
systems  are  rated  #1  in  customer  satisfac¬ 
tion  among  Layer  4-7  networking  vendors. 
See  what  Citrix  NetScaler  can  do  for  you 
at  www.citrix.com/netscaler 

CiTRIX 


ThinkPad  recommends  Windows®  XP  Professional. 


YOU’RE  LOOKING  AT  THE 
MOST  SECURE  WIRELESS  PC. 


Availability:  All  offers  subject  to  availability.  Lenovo  reserves  the  right  to  alter  product  offerings  and  specifications  at  any  time,  without  notice.  Lenovo  is  not  responsible  for  photographic  or  typographic  errors.  'Pricing:  Prices  do  not  include  tax  or  shipping  or  recycling  fees  and  are  subject  to  change  without 
notice  Reseller  prices  may  vary  Warranty:  For  a  copy  of  applicable  product  warranties,  write  to:  Warranty  Information,  P.O.  Box  12195,  RTP,  NC  27709,  Attn:  Dept  ZPYA/B676.  Lenovo  makes  no  representation  or  warranty  regarding  third  party  products  or  services.  Footnotes:  (1)  Mobile  Processors:  Power 
management  reduces  processor  speed  when  in  battery  mode.  (2)  Wireless:  based  on  IEEE  802.11a,  802.11b  and  802. llg  respectively.  An  adapter  with  lla/b,  llb/gor  1  la/b/g  can  communicate  on  either/any  of  these  listed  formats  respectively;  the  actual  connection  will  be  based  on  the  access  point  to  which  it  connects. 
(3)  Included  software:  may  differ  from  its  retail  version  (if  available),  and  may  not  include  user  manuals  or  all  program  functionality.  License  agreements  may  apply.  (4)  Memory:  For  PCs  without  a  separate  video  card,  memory  supports  both  system  and  video.  Accessible  system  memory  is  up  to  64MB  less  than  the  amount 
stated,  depending  on  video  mode.  (5)  Hard  drive:  GB  =  billion  bytes.  Accessible  capacity  is  less;  up  to  4GB  is  service  partition.  (7)  Thinness:  may  vary  at  certain  points  on  the  system.  (8)  Travel  Weight  includes  battery  and  optional  travel  bezel  instead  of  standard  optical  drive  in  Ultrabay  bay,  if  applicable;  weight  may  vary 


^  MOBILE 
TECHNOLOGY 


THE  MOST  SECURE  WIRELESS  PC.  ONLY  ON  A  THINKPAD. 

Put  security  at  your  fingertips  when  you're  on  the  road.  Literally. 

These  ThinkPad®  notebooks  feature  Intel®  Centrino™  Mobile 

Technology,  so  you  can  access  your  data  wirelessly  anytime. 

ThinkPad  R50e 

DISTINCTIVE  INNOVATIONS 

ThinkVantage  Rescue  and  Recovery  - 
one-button  recovery  and  restore  solution 

SYSTEM  FEATURES 

Intel®  Centrino”  Mobile  Technology 

Intel®  Pentium®  M  Processor  725  (1.60GHz)1 

Intel®  PRO/Wireless  2200BG  (802.1  lb/g)2 

Microsoft®  Windows®  XP  Home  Edition3 

15"  XGA  TFT  Display  (1024x768) 

ThinkPad  T43  with  Integrated 
Fingerprint  Reader 

Perfect  balance  of  performance  and  portability. 

DISTINCTIVE  INNOVATIONS 

ThinkVantage  Client  Security  Solution  6.0!0 
-  Strong  security  as  a  standard  feature 

SYSTEM  FEATURES 

Intel®  Centrino”  Mobile  Technology 

Intel®  Pentium®  M  Processor  740  (1.73GHz) 
Intel®  PRO/Wireless  2200BG  (802.1  lb/g) 

And  with  our  Integrated  Fingerprint  Reader  (select  models),  it  all 

256MB  DDR  SDRAM4,  40GB  Hard  Drive5 

Microsoft®  Windows®  XP  Professional 

happens  with  one  finger  and  one  password.  These  innovations, 

$899  (P/N  1842QFU) 

14"  XGA  TFT  Display  (1024x768) 

combined  with  our  security  chip  and  software,  provide 
a  level  of  security  that  no  one  else  offers  as  a  standard  feature. 

ThinkPad  Nylon  Carrying  Case 

$49  (P/N  10K0207) 

512MB  DDR2  SDRAM,  60GB  Hard  Drive 

Uitrabay  Slim  CD-RW/DVD  ROM  Combo 
Only  1"  thin7  and  4.7-lb  travel  weight8 

Giving  you  the  most  secure  wireless  PC  available. 

ThinkPad  Women’s  Executive 

Red  Leather  Tote13 

1-yr  limited  warranty11 

THINK  EXPRESS  MODEL 

$134  (P/N  22P8858) 

$1499  (P/N  1875DLU) 

With  the  Think  Express  Program,  ThinkPad  notebooks  are  preconfigured  with  your  business,  and  your  budget,  in  mind. 


To  shop  or  locate  your  local  reseller 


Call  1  866-426-0007 

Go  to  lenovo.com/security/m585 


ThinkPad  is  a  product  of  Lenovo. 


ThinkPad 


due  to  vendor  components,  manufacturing  process  and  options.  (9)  Internet  access  required;  not  included.  (10)  Client  Security  Solution:  preloaded  on  selected  models;  otherwise  available  by  software  download.  (11)  Limited  warranty:  Support  unrelated  to  a  warranty  issue  may  be  subject  to  additional  charges.  Fora  list  of 
onsite  replaceable  parts,  contact  Lenovo.  Support  unrelated  to  a  warranty  issue  may  be  subject  to  additional  charges.  (13)  Certain  IBM®  and  ThinkPad®  logo  products:  are  not  manufactured,  warranted  or  supported  by  IBM  or  Lenovo;  IBM  and  Lenovo  logos  and  trademarks  used  under  license.  Contact  Lenovo  for  details. 
Trademarks:  The  following  are  trademarks  of  Lenovo:  ThinkPad,  ThinkCentre  and  UltraCon nect.  IBM  and  the  IBM  logo  are  registered  trademarks  of  IBM  and  are  used  under  license.  Microsoft  and  Windows  are  registered  trademarks  of  Microsoft  Corporation.  Intel,  Intel  logo,  Intel  Inside,  Intel  Inside  logo,  Intel  Centrino,  Intel  Centrino 
logo,  Celeron,  Intel  Xeon,  Intel  SpeedStep,  Itanium,  and  Pentium  are  trademarks  or  registered  trademarks  of  Intel  Corporation  or  its  subsidiaries  in  the  United  States  and  other  countries.  Other  company,  product  and  service  names  may  be  trademarks  or  service  marks  of  other  companies.  ©2005  Lenovo.  All  rights  reserved. 

Visit  www.lenovo.com/safecomputing  periodically  for  the  latest  information  on  safe  and  effective  computing. 


Michael  Schrage  IT'S  ALL  ABOUT  THE  EXECUTION 


« 


Innovation  Alchemy 

One  of  the  most  important  things  CIOs  can  create  is  the  right  mix  of  healthy 
environment  and  reliable  process  in  order  to  foster  innovation 


At  the  CIO  100  Conference  in  August,  a  panel  on 
innovation  produced  some  provocative  glimpses 
into  how  a  few  of  the  nation’s  most  IT-intensive 
enterprises— including  Capital  One,  Circuit  City 
and  1-800-Flowers— actually  (re)organized  themselves  to  cre¬ 
ate  new  value. 

The  panelists— all  top-notch  CIOs— were  remarkably  candid 
about  the  challenges  they  are  facing  as  they  push  their  compa¬ 
nies  to  convert  technical  capacity  into  business  capability.  Circuit 
City,  for  example,  set  up  select  teams  of  innovation  champions 
from  operations  but  discovered  that  its  people  struggled  to  bal¬ 
ance  their  everyday  responsibilities  with  their  new  innovation 
missions.  1-800-Flowers  found  that  small,  quick  and  dirty  rapid¬ 
prototyping  teams  could  open  up  vast  new  market  opportunities 
faster,  better  and  far  cheaper  than  expected.  Capital  One  achieved 
some  good  results  by  rotating  high-potential  managers  from 
business  units  into  IT  leadership  positions. 

Each  CIO  acknowledged  that  traditional  notions  of  account¬ 
ability  required  tweaks  when  enterprises  genuinely  commit 
themselves  to  innovation— not  just  operational  excellence— as  a 
medium  for  growth.  These  CIOs,  for  instance,  talked  about  how 
they  installed  new  reward  incentives  and  had  to  be  more  creative 
about  managing  the  risk  associated  with  trying  something  new. 
They  had  to  make  special  dispensations  for  failed  experiments. 

When  the  time  came  for  questions  from  the  floor,  I  couldn’t 
resist  the  urge  to  focus  the  wide-ranging  conversation  on  some 
fundamental  principles.  So  I  asked:  Where  do  you  think  you 
get  the  best  return  from  your  innovation  investments?  From  the 
people  you  hire?  From  the  innovation  processes  you  put  in  place? 
Or  from  the  innovation  environment  you  seek  to  create? 


I 
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Think  these  CIOs  gave  the  oh-so-politically  correct  answer 
of  “people”?  Sorry;  not  a  one.  The  split  winners  were  process 
and  environment.  Why?  Because  as  one  of  the  panelists  put  it, 
“Even  if  you  hire  the  right  people— and  we  think  we  do— they 
need  to  be  in  an  environment  that  encourages  them  to  be  inno¬ 
vative  in  ways  we  can  use.” 

The  CIO  who  championed  process  put  it  another  way:  “We 
like  the  consistency  and  discipline  that  good  process  provides. 
Innovation  should  be  a  business  process.” 

Environment  vs.  Process;  Take  Your  Pick 

These  are  distinctions  with  a  difference.  Environments  are  not 
unlike  the  weather;  they  create  climates  where  informal  collab¬ 
oration  and  spontaneous  interactions  are  warm  and  encouraging 
or  chilly  to  the  point  of  being  frigid.  Environments  stress  recog- 
nition-and-reward  systems  where  leadership  by  example  is  the 
norm  and  the  organization  provides  resources  that  ostensibly 
reinforce  the  values  it  claims  to  aspire  to.  For  example,  organi¬ 
zations  that  celebrate  teamwork  and  collaboration  have  open 
office  plans  with  open  and  inviting  meeting  rooms  along  with 
water  coolers  and  coffee  carts  that  have  nearby  lounge  chairs 
and  whiteboards.  Healthy  innovation  environments  might  fea¬ 
ture  “show  and  tell”  brown  bag  lunches  where  project  team  lead¬ 
ers  present  early-stage  prototypes  to  interested  people  from 
around  the  organization  in  search  of  constructive  feedback  and 
useful  criticism.  Oh,  yes:  The  Boss— the  CIO,  CMO,  CFO  or  even 
the  CEO— occasionally  stops  by  to  see  what’s  going  on  and  com¬ 
municate  support. 

By  contrast,  process  is  about  consistent  and  rigorous  method¬ 
ologies  that  reliably  turn  selected  inputs  into  desired,  measura¬ 
ble  and  measured  deliverables  that  the  organization  genuinely 

values.  Process  is  about  con¬ 
tinually  looking  for  ways  to 
subtract  wasteful  time,  energy 
and  investment  while  adding 
new  value.  Process  stresses 
recognition-and-reward  sys¬ 
tems  where  leadership  is  meas¬ 
ured  by  the  ability  to  make  that 
process  more  reliable,  agile, 
robust  and  cost-effective.  Healthy  innovation  processes  invite 
aspiring  innovators  to  attach  some  discipline  and  rigor  to  their 
wilder  ideas.  Think  GE’s  Six  Sigma  initiatives— sure,  there  were 
teething  pains  in  the  beginning  but  the  new  metrics  and  mind¬ 
sets  it  fostered  yielded  enormously  productive  changes.  The  (rel¬ 
ative)  lack  of  arbitrariness  and  politics  in  a  healthy  innovation 
process  make  it  something  that  invites  participation  and  contri¬ 
bution.  Not  surprisingly,  good  innovation  processes  enable  good 
innovation  environments. 

Whether  you  agree  or  disagree  with  these  distinctions,  the 
clear  consensus  from  the  panel  was  that  one  of  the  most  impor¬ 
tant  strategic  allocations  CIOs  can  make  is  defining  what  peo- 
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pie,  process  and  environmental  investments  they’ll  need  for 
innovation.  Yes,  balance  is  nice.  But  a  well-designed  innovation 
process  attracts  and  inspires  people  as  surely  as  does  an  open 
and  challenging  innovation  environment. 

While  people  remain  the  vital  ingredient,  the  fact  remains 
that  CIOs  do  have  serious  choices  to  make  about  whether  they’ll 
get  a  better  return  on  their  innovation  investments  from  cre¬ 
ating  better  environments  or  better  processes.  While  this  isn’t 
an  either/or  proposition,  CIOs  need  to  ask  themselves  whether 
they  prefer  to  be  “branded”  by  their  colleagues  and  employees— 
not  to  mention  their  CEOs— as  successful  creators  of  innovation 
environments  or  as  reliable  leaders  of  innovation  processes. 

Why  is  this  so  important?  Because  CIOs,  whether  they  like  it 
or  not,  have  to  recognize  that  their  innovation  processes  and 
their  innovation  environments  need  to  dovetail  with  innovation 
environments  and  processes  throughout  other  parts  of  their 
organizations.  If  you’re  an  innovation  process  CIO  and  your 
CMO  is  a  brand-driven,  innovation  environments  kind  of  leader, 
you’ve  got  a  compatibility  problem.  Similarly,  if  you’re  running 
an  innovation  environment  shop  where  everybody’s  an  innova¬ 
tor  and  your  VP  of  sales  is  Ms.  Sales  Force  Process  Excellence, 
good  luck  on  implementing  that  channel  management  rollout. 

While  it’s  true  that  virtually  all  organizations  of  size  have 
their  own  little  innovation  process  pockets  and  microclimates, 
the  truth  is  that  CIOs  have  a  special  responsibility  to  strategi¬ 
cally  rethink  how  best  to  blend  process-defined  and  environ¬ 
ment-shaped  innovation  enterprisewide.  Precisely  because  IT 
organizations  enable  innovation  throughout  the  enterprise, 
the  supply  chain  and  the  customer,  CIOs  have  to  devote  special 
care  in  determining  whether  process  or  environment  offers 
the  better  organizing  principle  for  innovation  initiatives. 

Listening  to  the  CIO  100  panel,  it  was  absolutely  clear  to  me 
that  these  are  precisely  the  questions  these  leaders  are  wrestling 
with.  They  know  they  need  to  be  more  innovative;  they  know 
their  IT  shops  need  to  be  more  innovative;  and  they  know  their 
companies  need  to  be  more  innovative.  Indeed,  they’re  looking 
for  innovative  people  to  hire  and  train.  But  there’s  no  doubt  that 
they’re  paying  extra  special  attention  to  whether  it’s  better 
environments  or  better  processes  that  will  tap  the  innovative 
best  in  their  own  people— and  in  people  enterprisewide.  Inno- 
vatively  balancing  process  and  environment 
for  cost-effective  innovation  is  at  the  core  of 
real  CIO  leadership,  WH 
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In  Hong  Kong,  our  site  downloaded  quickly,  but  outside  of  Hong  Kong, 
performance  degraded  quite  quickly,"  explains  Scott  Ohman,  Manager 
E-Business  Commercial  for  Cathay  Pacific.  The  airline  knew  that  slow  site 
performance  would  hinder  future  business  growth.  "We  realized  that 
building  out  our  infrastructure  to  address  site  performance  would  be 
astronomically  expensive.  Besides  that,  it  ultimately  wouldn't  help  us 
overcome  our  global  performance  issues,"  explains  Ohman. 
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Accelerate  Time  to  Value 

"In  the  end,  the  Akamai  solution  was  the  clear  choice.  It  came  down  to 
three  'Cs' — cost,  comfort,  and  confidence.  The  cost  was  reasonable;  we 
were  very  comfortable  with  Akamai  as  a  solution  provider  we  could  trust; 
and  we  were  quite  confident  that  Akamai  had  a  proven  solution  that 
would  be  easy  to  implement,"  says  Ohman. 

Improve  Global  Performance 

"Akamai  provides  us  with  a  complete,  cost-effective  solution  that  addresses 
our  requirements  for  improved  performance,  massive  reach  to  support 
our  worldwide  client  base,  and  an  on-demand  infrastructure  to  support 
varying  and  unpredictable  traffic  levels.  They  are  a  crucial  part  of 
our  e-business  strategy  as  our  online  presence  continues  to  grow," 
concludes  Ohman. 
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" Altogether ,  these  improvements 
should  lead  to  more  bookings  online 
and  proportionally  fewer  calls  to  our 
call  center ,  generating  an  estimated 
savings  of  up  to  $1,500,000  annually." 

— Scott  Ohman,  Manager  E-Business  Commercial, 
Cathay  Pacific  Airways,  Ltd. 

The  Akamai  Impact: 

•  1 00%  increase  in  online  bookings 

•  Estimated  annual  savings  of  up  to  $  1,500,000 

•  Significant  increase  in  agent  extranet  adoption 

•  65%  increase  in  traffic  without 
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•  65%  increase  in  global  site  performance 

•  Considerable  infrastructure  savings  per  year 

•  Confidence  in  its  online  presence 
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Inside  the  Software 
Testing  Quagmire 

Software  testing  reveals  the  human  failings  behind  the  code.  That's  why  it  can 
become  a  never-ending  exercise  in  denial.  Here  are  five  questions  that  you  can  ask 
to  help  you  cut  through  to  testing’s  root  problems. 

There  are  few  things  worse  than  being  responsible 
for  a  software  project  mired  in  testing.  To  those 
waiting  to  use  the  software,  the  project  seems  done. 
But  it  isn’t.  The  software  needs  to  be  tested  to 
ensure  it  functions  properly  and  is  stable  and  reliable.  And  the 
project  manager’s  frustration  mounts  as  days  turn  into  weeks, 
weeks  turn  into  months,  and— heaven  forbid— months  turn 
into  years.  (For  best  practices  for  running  your  testing  organi¬ 
zation,  see  “Testing,  1, 2, 3.. .11,”  Page  63.) 

This  process  is  doubly  frustrating  for  CIOs  removed  from  the 
action.  Testing  managers— who  may  not  be  skilled  at  commu¬ 
nicating  with  CIOs— can  distract  attention  from  the  real  prob¬ 
lems  by  being  overly  detailed  or  focusing  on  irrelevancies. 

CIOs  must  assess  the  situation  for  themselves,  asking  the 
testing  manager  the  following  five  questions  face-to-face  and 
observing  how  wide  his  pupils  dilate. 

Question  #1:  Is  the  software’s  functionality  clear,  com¬ 
plete,  documented  and  subject  to  a  formal  change  process? 
You’re  really  asking:  Are  we  trying  to  hit  a  moving  target? 

You’re  tryingto  determine:  If  the  problem  is  that  the  software  is  poorly 
defined  or  that  the  project’s  scope  has  changed. 

Interpreting  the  response:  If  the  software’s  functionality  is  not  fully 
documented  or  is  not  clear,  testers  will  have  difficulty  determining 
whether  it  meets  the  project’s  goals.  When  functionality  is  subject  to 
interpretation,  test  cases  might  not  reflect  what  was  originally 
intended.  If  functionality  changes  because  the  organization  continu¬ 
ally  adds,  modifies  or  deletes  functions,  testers  will  have  difficulty 
keeping  up.  Only  changes  critical  to  the  integrity  of  the  software 
should  be  allowed. 
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A  related  symptom  to  check:  Intense  debate  about  requirements 
and  test  results. 

Question  #2:  Is  development  complete? 

You’re  really  asking:  Are  the  testers  essentially  starting  over  with 
each  new  release  because  there  are  so  many  changes? 

You’re  trying  to  determine:  If  the  software  has  been  released  for  test¬ 
ing  prematurely,  or  if  changes  are  uncontrolled. 

Interpreting  the  response:  Software  released  prematurely  will  dif¬ 
fer  markedly  from  the  previous  release.  With  all  the  changes,  test¬ 
ing  performed  on  a  previous  release  might  no  longer  be  relevant  to 
the  new  one.  If  testing  of  one  release  is  not  completed  before  the 
next  one  arrives,  there  will  be  no  comprehensive  understanding  of 
release  defects. 

After  each  release,  the  software  will  change  due  to  user  feed¬ 
back.  But  problems  will  occur  if  developers  and  testers  do  not 
agree  about  which  changes  will  be  made.  If  developers  decide 
to  implement  sweeping  design  changes  or  to  improve  software 
already  functioning  correctly,  the  testers  will  be  the  dubious 
beneficiaries  of  releases  that  behave  very  differently  from  pre¬ 
vious  ones.  Again,  testing  efficiency  will  be  very  low. 

A  related  symptom  to  check:  Complaints  about  the  frequency  of 
releases,  about  releases  being  delivered  without  notice  or  about 
significant  changes  in  a  release. 

CIOs  must  assess  the  testing 
situation  for  themselves,  asking 
the  testing  manager  questions 
face-to-face  and  observing  how 
wide  his  pupils  dilate. 

Question  #3;  Are  test  cases  comprehensive  and 
repeatable;  are  they  executed  in  a  controlled  environment? 
You’re  really  asking:  Is  testing  ad  hoc  or  disciplined? 

You're  trying  to  determine:  If  testing  is  effective. 

Interpreting  the  response:  There  should  be  a  set  of  repeatable  test 
cases  and  a  controlled  test  environment  where  the  state  of  the  soft¬ 
ware  being  tested  and  the  test  data  are  always  known.  Absent  these, 
it  will  be  difficult  to  discern  true  software  defects  from  false  alarms 
caused  by  flawed  test  practices. 

A  related  symptom  to  check:  If  temporary  testers  are  conscripted 
from  other  parts  of  the  organization  to  “hammer”  the  software  with¬ 
out  using  formal  test  cases,  it  means  the  organization  is  reacting  to 
poor  testing  by  adding  resources  to  collapse  the  test  time,  rather  than 
addressing  the  problem’s  root  causes. 

Question  #4:  Is  there  a  process  being  followed  to  eval¬ 
uate  each  defect  and  prioritize  its  resolution? 


You’re  really  asking:  Is  the  organization  tackling  the  most  severe 
problems  first  and  agreeing  on  the  contents  and  timing  of  the  next 
release? 

You’re  trying  to  determine:  If  the  organization  is  making  good  deci¬ 
sions  about  where  to  apply  its  assets. 

Interpreting  the  response:  Defects  vary  in  severity.  For  example,  a 
defect  in  the  cosmetics  of  a  screen  form  is  less  severe  than  a  defect  that 
stops  the  software  cold.  A  defect  that  impacts  many  users  is  more 
severe  than  one  that  impacts  few  users.  The  order  in  which  the  devel¬ 
opment  team  resolves  defects  should  be  in  line  with  their  severity. 

Trouble  occurs  when  the  development  and  test  teams  do 
not  communicate  about  which  defects  to  remedy  and  in  which 
order.  To  ensure  improvement  of  the  software  and  for  the  test 
phase  to  move  toward  completion,  the  development  and  test 
teams  must  collaborate. 

A  related  symptom  to  check:  The  number  of  highest-severity 
defects  does  not  diminish  over  time;  friction  exists  between  devel¬ 
opment  and  test  organizations. 

Question  #5;  Does  the  organization  collect  testing  met¬ 
rics  at  regular  intervals?  The  total  number  of  test  cases?  The 
number  that  passed  and  failed?  The  number  of  defects— by 
degree  of  severity— in  the  process  of  being  fixed? 

You’re  really  asking:  Can  the  organization  quantify  the  state 
of  testing? 

You're  trying  to  determine:  Can  the  organization  measure  progress? 
Interpreting  the  response:  Metrics  enable  informed  testing  deci¬ 
sions.  If  metrics  are  not  recorded  and  published  on  a  regular  basis, 
progress  will  remain  uncertain. 

Metrics  relating  to  test  cases  and  defects  must  be  captured, 
published  and  tracked.  With  these  metrics  you  can  determine 
whether  defects  are  climbing,  cresting  or  diminishing,  and 
whether  the  most  severe  defects  are  being  attacked  first.  You 
will  see  trends  and  be  able  to  make  corrections. 

A  related  symptom  to  check:  There  are  differing  opinions  about  the 
state  of  testing,  open  defects  and  trends. 

Because  software  testing  ultimately  exposes  human  failure,  it’s 
difficult  to  know  whether  the  process  is  achieving  its  goal  of  cre¬ 
ating  the  best  software.  People  don’t  like  to  admit  mistakes.  They 
can  go  to  extraordinary  lengths  to  hide  mistakes  or  take  unilat¬ 
eral  steps  to  try  to  remedy  problems  before  others  can  discover 
them.  “Busy-ness”  is  no  guarantee  of  progress— indeed,  it  may 
indicate  the  worst  kind  of  testing  failure.  CIOs  can  provide  a  crit¬ 
ically  important  perspective  on  the  process  to  get  testing  back  on 
track  and  keep  it  there.  HH 


Paul  Garbaczeski  has  held  a  variety  of  systems 
development,  management  and  business  positions 
at  major  enterprises  over  the  past  30  years.  Please 
send  your  comments  to  Executive  Editor  Christopher 
Koch  at  ckoch@cio.com. 
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Building  a 


Resilient 

ENTERPRISE 

INFRASTRUCTURE 

Symantec 


In  today’s  networked  world,  the 
free  flow  of  information  is  critical 
to  business.  Information  has 
become  the  currency  of  our  age, 
and  unlike  a  disk  or  laptop,  it  cannot 
easily  be  replaced.  As  the  pace  of 
business  evolution  continues  to 
accelerate,  organizations  will  face 
new  challenges  in  securing,  manag¬ 
ing  and  making  available  this 
irreplaceable  asset  —  all  while  trying 
to  do  more  with  less  and  protect  an 
increasingly  complex  IT  environment 
from  a  growing  number  of  risks. 

To  prepare  for  and  address 
these  challenges,  organizations 
must  build  a  resilient  IT  foundation 
that  mitigates  vulnerabilities  and 
threats  to  prevent  attacks,  recovers 
quickly  in  the  event  of  disruptions 
and  runs  day-to-day  operations 
more  efficiently.  All  of  this  requires 
building  an  infrastructure  that 
seamlessly  bridges  the  divide 
between  the  management  of  secu¬ 
rity,  storage,  data  and  applications. 

Symantec  is  focused  on 
delivering  the  proven  security, 
systems  and  storage  solutions 
customers  need  to  ensure  the 
secure  and  reliable  availability  of  IT 
services  to  keep  business  up  and 
running  at  all  times. 

www.  Symantec,  com 
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Policy  Must  Fit  the  Culture 

orporate  .  security  isn’t  some¬ 
thing  that  kicks  in  when  things 
go  awry. 

It’s  a  way  of  life;  a  culture  that  reflects  the 
very  health,  vitality  and  integrity  of  a  busi¬ 
ness.  Of  course,  corporate  security  is  the 
inalienable  responsibility  of  every  corporate 
citizen.  But  it  is  most  certainly  energized 
from  the  top  down. 

Security  does  —  or  should  —  garner  fierce 
attention  at  the  board  level  for  good  reason. 
Just  consider  what’s  at  stake:  the 
brand,  shareholders,  customers 
and  employees.  Security  literally 
impacts  every  aspect  of  the 
business  and  indeed  contributes 
to  business  continuity  and  the 
overall  financial  well-being  of 
the  business. 

That’s  why  senior  leadership 
must  close  the  gap  between  busi¬ 
ness  management  and  security 
operations,  says  Ed  Casey,  director 
of  corporate  security  at  Cincin¬ 
nati-based  Procter  &  Gamble 
Company.  CSOs  need  to  understand  the  busi¬ 
ness  to  protect  it  effectively,  and  business 
managers  need  to  appreciate  how  security  can 
positively  impact  the  bottom  line. 

But  a  security-conscious  workplace  doesn’t 
just  materialize  on  its  own.  Executive  man¬ 
agement  needs  to  initiate  the  culture  with  a 
simple,  yet  comprehensive,  security  program. 
“Measurably  effective  logical  security  cannot 
exist  without  effective  physical  security  or  a 
corporate  culture  that  is  intolerant  of  miscon¬ 
duct,”  explains  George  Campbell,  former 
CSO  of  Fidelity  Investments,  security  consul¬ 
tant  and  member  emeritus  of  the  CSO  Exec¬ 
utive  Council. 

Francis  D’Addario,  vice  president  of  part¬ 
ner  and  asset  protection  for  Starbucks  Coffee 
Company  of  Seattle,  Wash.,  offers  some  guid¬ 
ing  principles  for  formulating  a  top-notch 
security  culture: 

•  Require  the  protection  of  people  first. 

•  Underscore  the  values  of  corporate  culture 

to  safeguard  brand  equity. 

•  Support  the  company’s  mission  with 


service-level  expectations. 

•  Require  interweaving  security  and  safety  as 
an  enabler  for  every  business  opportunity. 

•  Insist  on  world-class  processes  for  security 
incident  awareness,  prevention,  detection 
and  mitigation. 

Don’t  be  lulled  into  thinking  of  security  in 
terms  of  things.  “Computer  viruses  or  natur¬ 
al  disasters  won’t  be  the  undoing  of  a  busi¬ 
ness,”  Campbell  warns.  “Corporate  melt¬ 
downs  are  caused  by  bad  ethics,  ineffective 
controls  and  other  human  behavior.” 


Are  You  Ready! 

How  to  Handle  Today’s  Corporate 
Security  Threats 

oday’s  top  threats?  Business  interrup¬ 
tion  due  to  workplace  violence,  cyber 
crimes,  natural  disasters  or  terrorism; 
damage  to  the  corporate  image  due  to  loss  of 
critical  business  information  or  noncompliance 
with  security  regulations;  product  or  supply 
chain  disruption  because  of  inappropriate 
preparation  for  emergencies.  The  list  goes  on 
and  it  changes  daily. 

It’s  no  wonder  that  the  issues  keeping  CSOs 
awake  have  or  should  have  made  it  to  the 
boardroom  table.  Equally  as  important  are  the 
board’s  concerns,  which  had  better  be  on  the 
security  group’s  radar  screen. 

For  example,  Michael  Frankovich,  director 
of  corporate  security  at  Duke  Energy  in  Char¬ 
lotte,  N.C.,  says  workplace  violence  is  what 
plagues  his  slumber  because  the  stakes  are  so 
high.  He  notes  that  the  most  egregious  inci¬ 
dents  aren’t  frequent,  and  executives  tend  to 
assume  that  employees  are  safe  in  their  own 
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The  Answer:  Proven  security. 


Zero-day  threats.  Modified  threats.  Encrypted  attacks.  With  McAfee®1,  you’re  protected. 
Our  comprehensive  security  solutions  with  integrated  intrusion  prevention  technolog)' 
proactively  protect  your  systems  and  networks.  And  our  proven  approach  blocked  or 
contained  100%  of  the  top  attacks  in  2004.  Backed  by  more  than  15  years  of  experience 
protecting  and  supporting  our  customers,  McAfee’s  software,  hardware,  and  services  are 
a  proven  way  to  secure  your  business.  Learn  more  at  www.mcafee.com/enterprise 
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Intrusion  Prevention 


E-Mail  &  Web  Security 


Anti-Spyware 


Proven  Security 
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is  distinctive  of  McAfee  brand  products.  All  other  registered  and  unregistered  trademarks  herein  are  the  sole  property  of  their  respective  owners.  ©  2005  McAfee,  Inc.  All  rights  reserved. 
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building.  A  comprehensive  and  effective  secu¬ 
rity  program  will  let  executive  management 
sleep  soundly  in  that  regard. 

Richard  Lefler,  former  CSO  of  American 
Express  and  a  Scottsdale,  Ariz. -based  consul¬ 
tant  specializing  in  strategic  security  planning, 
says  the  greatest  emerging  threat  is  the  risk  of 
global  flu  pandemic  like  Avian  Influenza 
(HSN1).  It’s  projected  to  hit  in  the  next  two 
to  three  years  and  is  already  being  monitored 
at  the  executive  level.  Keeping  employees  safe 
is  paramount,  but  this  form  of  security  plan¬ 
ning  significantly  varies  from  the  norm. That 
could  explain  why  this  type  of  threat  and  pre¬ 
pared  response  is  often  overlooked  until  the 
crisis  is  imminent. 

Lefler  says  executives  can  better  manage  any 
security  threat  through  situational  readiness: 
“Executive  management  needs  a  framework  that 


the  process.  For  instance,  geographic  relevan¬ 
cy  might  dictate  prioritization  of  events  within 
five  miles  of  a  plant  versus  500  miles. 

James  Ashby,  director  of  corporate  security 
and  loss  prevention  at  Boise  Cascade,  puts  it 
succinctly:  “The  greatest  threat  is  not  the  threat 
itself,  but  rather  the  perceptions  and  expecta¬ 
tions  surrounding  the  threat.” 


M 
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allows  the  security  group  and  business  managers 
to  adapt  quickly  to  changing  environments.” 
Executives  can’t  build  security  programs  by 
looking  in  the  rearview  mirror,  he  says,  nor  can 
they  predict  the  likelihood  of  the  next  terrorist 
attack  or  natural  disaster.  Rather,  they  need  to 
create  mechanisms  for  the  influx  and  manage¬ 
ment  of  situational  threat  information. 

Unfoi  tunately,  says  Lefler,  that  influx  is  like 
“drinking  water  out  of  a  fire  hose.”  Executives 
need  to  im  dement  tools  to  create  relevancy  in 
situational  data,  segmenting  and  automating 


Sing-Sing  or  Fort  Knox? 

Security  Beyond  the  Perimeter 

aintain  a  rock-solid  perimeter 
and  all  is  right  with  the  world. 
Right? 

Wrong.  Sing- Sing  and  Camp  Cupcake  can  be 
locked  down  as  tight  as  Fort  Knox,  but  that 
doesn’t  make  either  a  safe  place. 

It’s  the  integrity  of  the  individuals  within  the 
perimeter  that  makes  for  a  secure  environment. 

According  to  a  CIO 
Magazine  and  Pricewater- 
houseCoopers  survey 
(“The  Global  State  of 
Information  Security 
2005”),  the  problem  is 
that  roughly  33%  of 
information  security  (IS) 
attacks  originate  from 
employees,  with  another 
28%  coming  from  ex¬ 
employees  and  partners. 

The  best  way  to  avoid 
this  threat  is  thorough 
background  checks  during 
the  hiring  or  contracting 
process.  Contractors, 
supply  chain  partners 
and  outsourcing  vendors 
should  all  be  held  to  the  same  best-hiring  prac¬ 
tices.  But  it  doesn’t  simply  end  with  the  hiring. 
Monitoring  activity  is  a  must.  Companies  are 
reporting  a  notable  surge  in  surveillance  from 
both  a  physical  and  an  IT  perspective,  says  the 
CIO  survey. 

Physical  security  is  maturing  with  the  use  of 
access-card  systems,  optical  turnstiles  and  sur¬ 
veillance  equipment.  “However,  these  efforts 
are  contradicted  by  what  is  happening  in  the 
world,”  explains  Duke  Energy’s  Frankovich. 
“Body-borne  weapons  can  get  through  optical 


turnstiles,  and  a  glass  door  certainly  can’t  stop 
vehicle-borne  weapons.”  What’s  worse,  thou¬ 
sands  of  “outsiders”  are  invited  into  the  inner 
sanctum  every  day.  “Once  these  folks  are 
inside  the  building,  you  must  rely  on  different 
forms  of  monitoring  and  a  security-conscious 
culture  to  protect  the  business,”  adds 
Frankovich. 

From  the  IT  perspective,  the  CIO  survey 
suggests  that  IS  organizations  increasingly 
monitor  employees  to  “rein  in  instant  mes¬ 
saging  and  other  applications,  put  down  ram¬ 
pant  spam  and  malware,  shield  the  company 
from  liability  when  employees  use  peer-to- 
peer  networks  to  download  copyrighted 
material  and  monitor  for  evergreen  insider 
threats.”A  whopping  88%  of  respondents  say 
they  have  IT  monitoring  in  place,  or  plan  to 
by  year’s  end. 

Another  issue  that  may  not  yet  be  fully 
grasped  at  the  board  or  even  the  executive  level 
is  the  fluidity  of  the  perimeter,  which  ebbs  and 
flows  with  the  tides  of  the  business.  The  perime¬ 
ter  opens  up  for  each  new  hire,  contractor  and 
business  partner.  It  extends  to  e-business,  out¬ 
sourcing  and  supply  chain  strategies.  It  morphs 
with  mergers  and  acquisitions. 

The  extended  business  environment  has 
resulted  in  many  business  opportunities  and 
great  savings.  “But  in  our  quest  for  mobility  and 
efficiency,  we’ve  built  interdependent  and 
interoperable  infrastructures,  creating  choke 
points  that  need  more  security  and  redundancy,” 
says  security  consultant  Richard  Lefler. 

Perimeter  defense  has  taken  on  new  mean¬ 
ing.  “It’s  not  just  about  securing  the  building, 
nor  about  tightening  up  the  network,”  says 
Lefler.  The  safety  zone  must  also  include  global 
offices,  partners  and  outsourcing  vendors  as 
well  as  Web-based  commerce.  It’s  no  small  task 
and  requires  strategic-level  thinking. 

Risky  Business 

Litany  of  Regulations  Raises  the  Bar 
For  Business 

Sarbanes- Oxley,  the  European  Data  Pro¬ 
tection  Act  (EDPA),  HIPAA  and  Basel  II 
—  complying  with  standards  and  regula¬ 
tions  such  as  these  is  neither  optional  nor 
simply  an  afterthought.  Indeed,  with  the  stiff 
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penalties  that  accompany  some  regulations, 
compliance  is  now  just  as  critical  as  any  other 
core  business  or  security  initiative. 

That  means  companies  must  become 
ever  more  strategic  in  how  they  implement  and 
deliver  compliance.  Bill  Boni,  vice  president  and 
chief  information  security  officer  at  Schaum¬ 
burg,  Ill. -based  Motorola,  Inc.,  says  executives 
must  upgrade  their  approach  to  security,  which 
is  often  a  matter  for  separate  and  sometimes 
conflicting  fiefdoms.  For  instance,  one  set  of 
professionals  usually  is  responsible  for  the  phys¬ 
ical  security  of  facilities,  while  another  group 
oversees  auditing  and  loss  prevention  activities, 
and  yet  another  oversees  electronic  pass  codes, 
firewalls,  virus  protection  and  all  the  other 
necessities  of  the  information  age. 

But  Boni  says  that  approach  is  dangerous, 
advising  a  greater  functional  convergence  — 
mirrored  by  his  own  expanded  responsibilities 
at  Motorola  —  that  can  break  down  the  walls 
separating  different  elements  of  corporate  risk 
management  and  security. 

However,  security  consultant  George 
Campbell  says  it  is  critical  that  upper  man¬ 
agement  be  on  board.  “The  board  of  directors 
and  CEO  must  assure  that  risk  assessment 
around  security-related  issues  is  an  integral 
part  of  the  company’s  risk  management 
process,”  emphasizes  Campbell.  Where  orga¬ 
nizations  have  put  rigorous  risk  analysis  and 


Essentials  for 


CRITICAL  DATA 

Internet  Security  Systems  Provides  a  Complete  Protection  Strategy 


In  the  Information  Age,  data  is  power,  but  it  is  also  money.  In  today’s 
world,  stolen  data  is  not  simply  an  annoyance.  It  is  fodder  for  national 
headlines  and  public  outrage.  A  direct  correlation  exists  between 
protecting  your  data  and  protecting  your  bottom  line. 

The  security  landscape  has  shifted  forever  as  hackers  now  leverage  their 
technical  knowledge  for  financial  gain.  Your  business  must  function  in  this 
landscape  —  under  constant  attack  by  data  pirates  trying  to  steal  personal 
information.  How  do  you  know  if  your  data  is  sufficiently  protected?  Tom 
Noonan,  chairman,  president  and  chief  executive  officer  of  Internet  Security 
Systems  (ISS),  recommends  you  start  by  asking  the  right  questions: 

•  What  sensitive  data  do  we  have?  With  endless  types  of  data,  you  need  a 
classification  scheme  to  categorize  sensitive  information  and  separate  it 
from  non-critical  data. 

•  Where  is  our  sensitive  data  located?  While  it  may  primarily  reside  in  a 
production  database,  it  is  also  duplicated  onto  backup  tapes,  copied  to 
department  servers  and  cached  on  proxy  servers  or  client  systems.  You 
need  to  know  where  the  data  is  in  order  to  protect  it  effectively. 

•  What  are  the  points  of  access  to  our  sensitive  data?  Every  location  in 
which  data  resides  probably  allows  multiple  points  of  access.  Identifying 
both  physical  and  digital  access  points  is  the  first  step  in  securing  them. 

•  How  is  each  access  point  protected?  Once  you  have  identified  the 
physical  and  digital  points  of  access,  examine  how  well  each  access 
point  is  protected.  Using  a  single  mechanism  is  a  huge  mistake.  You 
need  multi-layered  protection. 

•  Who  has  access  to  what  data?  More  than  half  of  all  security  incidents 
involve  insiders.  Know  who  has  access  to  what  data.  Increased  access 
to  sensitive  data  should  only  be  given  when  both  the  “trust”  and  “need” 
criteria  are  met. 

•  How  do  we  track  our  sensitive  data?  Auditing  access  to  sensitive  data  is 
crucial.  Audit  logs  are  an  effective  mechanism,  but  they  must  also  be 
considered  sensitive  data. 

•  Does  my  enterprise  security  system  protect  both  systems  and  data?  An 

end-to-end,  multi-layered  system  that  enforces  policy  while  deflecting 
threats  is  the  only  way  to  truly  stay  ahead  of  the  threat. 

To  learn  more  about  ISS  and  safeguarding  critical  data.,  call 
800-776-2362.  For  an  executive  brief  on  Safeguarding  Customer  Data  go 

to  www.iss.net/2005/safeguard_data/. 
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Proven  Solutions 


Protecting 
THE  REAL 
WORLD 

McAfee 


Threats  to  desktops,  servers 
and  networks  are  increasing 
in  frequency  and  technical 
complexity.  For  businesses  and 
the  public  sector,  trying  to  balance 
costs,  resources  and  personnel 
against  these  threats  can  be 
overwhelming.  For  home  users, 
failure  to  recognize  the  threats  at 
all  can  be  devastating. 

To  effectively  address  these 
security  challenges,  many  busi¬ 
nesses,  government  agencies, 
service  providers  and  home  users 
trust  McAfee  for  a  proven 
approach  to  deploying  limited 
resources  to  achieve  the  best  pos¬ 
sible  security.  At  McAfee,  we  have 
woven  together  innovative  hard¬ 
ware  and  software  based  on 
extensive  and  real-world  security 
expertise  to  address  immediate 
threats  and  deliver  proactive  pro¬ 
tection  from  future  attacks.  Today, 
this  protective  fabric  provides 
effective  security  solutions  for  cus¬ 
tomers  in  over  100  countries 
worldwide. 

www.  mcafee.  com 
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Proven  Security” 


mitigation  strategies  in  place,  he  adds,  “it’s 
likely  that  much  of  the  work  toward  compli¬ 
ance  has  already  been  done.” 


With  or  Without  Mandates, 
Privacy  Is  Now  a  Pervasive 
Challenge 

Privacy  compliance  is  a  large  compo¬ 
nent  of  recent  legislation  and  regula¬ 
tions.  For  instance,  California  law  man¬ 
dates  highly  onerous  consequences  for  any 
security  breach  in  which  personal  financial 
information  is  shared  or  disclosed  without 
authorization. The  law  imposes  penalties  of 
$2,500  per  violation  and  there  is  no  cap  for 
willful  violations  of  the  law. 

But  privacy  issues  extend  far  beyond  mandates 
alone.  Long-term  management  efforts  to  foster 
a  public  perception  of  trustworthiness  and 
strengthen  brand  identity  can  be  quickly  undone 
by  revelations  about  mishandling  private  infor¬ 
mation.  Furthermore,  internal  stakeholders  may 
also  have  privacy  concerns  regarding  the  accessi¬ 
bility  of  their  sensitive  information. 

In  an  article  in  Information  Systems 
Control  Journal  entitled  “Creating  the  Privacy- 
Compliant  Organization,”  author  Robert  G. 
Parker  points  out  that  while  each  organization 
must  consider  the  relevant  privacy  regula¬ 
tions,  definitions  created  by  the  Organization 
for  Economic  Cooperation  and  Development 
(OECD)  can  provide  the  basis  for  developing 
a  universal  privacy  model  that  outlines  the 
basic  principles  for  privacy  compliance. 
However,  he  stresses,  “becoming  privacy- 
compliant  is  a  process”  that  requires  a 
compliance-focused  team  and  infrastructure. 

Tim  Gladura,  CSO  of  Cardinal  Health, 
Inc.,  based  in  Dublin,  Ohio,  has  full  respon¬ 
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sibility  for  privacy  issues  and  contends  that 
the  challenges  are  multiplied  for  his  global 
organization.  “We  must  look  at  privacy  regu¬ 
lations  around  the  world  because  we  operate 
on  seven  continents,”  he  says.  Fortunately,  he 
notes,  as  the  central  source  for  all  security 
activities  at  Cardinal  Health,  “I  myself  have  an 
enormous  amount  of  compliance  support 
on  those  issues,  including  a  personal  data 
protection  and  privacy  person  who  is  an 
international  attorney.” 

Gladura  emphasizes  that  a  centralized  and 
integrated  framework  needs  to  be  put  in  place 
to  monitor  and  control  “whether  or  not  an 
organization  has  done  a  responsible  job”  of 
protecting  the  privacy  of  its  constituents.  A 
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Founded  by  CSO  Magazine ,  the  CSO  Executive  Council  is  a  professional 
organization  for  security  executives  whose  vision  is  to  advance  strategic 
security  practices  and  solutions. The  mission  of  the  council  is  to  provide  both 
public  and  private  sector  CSOs  and  CISOs  with  the  products,  research  and 
support  necessary  to  advance  the  safety  of  their  organizations,  the  security 
profession  as  a  whole  and  their  careers. To  learn  more  about  the  council, 
please  visit  www.csoexecutivecouncil.com. 


COMPLY 

WITH  CONFIDENCE. 


VERITAS 


Memo  to  CIOs  everywhere:  Regulatory  compliance  just  got  a  little  less  painful.  As  a 
world  leader  in  information  integrity,  Symantec  can  help  your  company  conform  to 
the  standards  regarding  security  and  privacy,  information  retention  and  corporate  now  from  Symantec 
accountability  required  by  today’s  regulatory  and  legal  mandates.  And  along  with  compliance  comes 
the  confidence  that  your  company’s  information  is  protected— to  help  keep  it  safe,  secure  and  readily 
available  to  those  who  depend  on  it.  So  you  can  go  about  the  day’s  business,  and  get  a  good  night’s  sleep. 
Call  800-745-6054  or  visit  http://information-integrity.com.  BE  FEARLESS. 


nc  nm  ■iaxl&u&fk s 

dAjftittez. 


Symantec 


According  to  HUGH 
CUMMING,  CIO  at 

ADP  Employer  Services, 
IT  organizations  often 
do  not  take  a  leadership 
position  in  the  require¬ 
ments  process,  instead 
taking  the  attitude 
that  “the  business  is  , 
requesting  it,  so  it  must 
be  the  best  thing  tod 


Cover  Story 


The  requirements  process— literally, 
deciding  what  should  be  included  in 


software— is  destroying  projects  in  ways 


j;j  nad  his  work 

cut  out  for  him.  The  gap  between  what  his 
not-yet-implemented  call  center  manage¬ 
ment  application  at  a  large  European  com¬ 
pany  could  do  and  the  requirements  list 
created  by  40  eager  business-side  stakeholders  now  filled  3,000 
pages  and  threatened  to  delay  an  already  overdue  call  center  consol¬ 
idation  effort  another  four  to  five  years.  “My  first  instinct  was  that  the 
project  had  absolutely  no  chance  of  success,”  says  Cumming,  cur¬ 
rently  CIO  for  ADP  Employer  Services  Canada. 

Requirements,  as  every  CIO  knows,  are  a  problem,  but  CIOs  may 
not  be  aware  of  just  how  catastrophic  the  problem  has  become.  Ana¬ 
lysts  report  that  as  many  as  71  percent  of  software  projects  that  fail  do 
so  because  of  poor  requirements  management,  making  it  the  single 
biggest  reason  for  project  failure— bigger  than  bad  technology,  missed 
deadlines  or  change  management  fiascoes.  Though  CIOs  are  rarely 
directly  responsible  for  requirements  management,  they  are  account¬ 
able  for  poor  outcomes,  which,  when  requirements  go  bad,  can 


that  aren’t  evident  until  it’s  too  late. 
Some  CIOs  are  stepping  in  to  rewrite 


the  rules 


BY  CHRISTOPHER  LINDQUIST 


Reader  ROI 

How  a  broken  requirements 
process  can  sabotage  software 
projects 

Ways  to  rewrite  the  process 
for  success 


Software  that  can  help  monitor 
requirements  for  problems 
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include:  project  delays,  software  that  doesn’t 
do  what  it’s  supposed  to  and,  worst  of  all, 
software  that  may  not  work  correctly  when 
rolled  out,  putting  the  business— and  the 
CIO’s  job— at  risk. 

Mishandled  requirements  can  torpedo  a 
project  at  any  time,  from  inception  to  deliv¬ 
ery.  Start  down  the  wrong  road  and  you 
arrive  at  the  wrong  destination.  And  even  if 
you’re  heading  in  the  right  direction,  mak¬ 
ing  fumbling  changes  midstream  can  be 
almost  as  deadly.  Not  integrating  require¬ 


ments  with  your  test  process  can  have  you 
racing  back  late  in  the  game  to  correct  prob¬ 
lems  that  might  have  been  solved  early  on 
(and  more  cheaply). 

It’s  up  to  the  CIO  to  establish  an  overall 
requirements  process  that  works  and  to 
support  it  with  the  political  skills  necessary 
to  get  buy-in  from  both  the  business  and 
development  sides.  The  CIO  must  also  have 
the  organizational  backbone  necessary  to 
shove  wayward  requirements  processes 
back  into  line. 

None  of  this  is  easy.  Business  users  often 
don’t  know  exactly  what  they  want,  can’t 
prioritize  what  they  do  want,  request  things 
IT  simply  can’t  deliver  (because  of  com¬ 
plexity  or  cost),  or  can’t  describe  their 
desires  in  terms  that  translate  accurately 
into  code.  On  the  IT  side,  analysts,  archi¬ 
tects  and  coders  regularly  try  too  hard  to 
please  and  don’t  set  realistic  expectations 


for  projects;  they  don’t  use  every  means 
possible  to  guarantee  that  what  they’re 
building  is  what  the  user  really  needs,  and 
sometimes  they  even  fail  to  make  sure  that 
they’re  talking  to  all  the  right  stakeholders. 

In  short,  the  traditional  practice  of 
requirements  is  broken.  But  some  IT  folks 
are  doing  everything  they  can  to  fix  the  sit¬ 
uation.  To  a  man,  they  say  process  is  key. 
Exactly  what  process?  They  all  have  their 
own  ideas.  One  executive  decided  to  sim¬ 
ply  enforce  rules  that  should  have  been 


enforced  all  along.  Another  rewrote  the 
rules  from  the  ground  up.  And  a  pair  threw 
out  the  old  rule  books  completely,  one  tak¬ 
ing  a  business-process-focused  approach 
and  the  other  choosing  to  build  applica¬ 
tions  with  quick  iterations  rather  than  long 
requirements  documents.  But  they  all  agree 
that  you  should  choose  a  formal  require- 
ments-gathering  process  and  stick  to  it. 

Writing  requirements  is  hard.  It  will 
always  be  hard.  But  with  a  handful  of  smart 
decisions  you  can  create  a  requirements 
process  that  will  produce  positive  results— 
and  maybe  keep  your  next  project  from 
becoming  another  statistic. 

Forty’s  a  Crowd 

Cumming’s  solution  to  his  requirements 
nightmare  was  radical  surgery.  First— with 
backing  from  ADP’s  chief  executive— he 


stripped  down  the  scope  of  the  consolida¬ 
tion  project,  lopping  off  existing  processes 
that  worked  as-is  and  didn’t  need  to  be 
rolled  into  the  new  application.  He  also 
pared  the  group  of  40  stakeholders  to  five 
active  participants.  He  allowed  the  others  to 
stay  involved,  but  only  in  the  more  passive 
role  of  reviewing  the  implementation  plan 
and  feature  specifications,  without  actually 
adding  feature  requests  of  their  own.  He 
then  repeatedly  went  back  to  the  remaining 
five  stakeholders  and  asked  them  if  specific 
requirements  were  really  must-haves  or 
simply  nice-to-haves.  After  less  than  two 
months  of  pressing  the  issue,  his  new 
requirements  list  was  less  than  10  percent 
of  the  original.  And  after  the  project  went 
into  production,  it  needed  to  accommodate 
only  one  major  change  before  being  rolled 
out  to  12  global  locations. 

Cumming  says  the  problem  in  this 
case— and  in  many  cases— is  that  IT  often 
does  not  take  a  leadership  position  in  the 
requirements  process,  instead  taking  the 
attitude  that  “the  business  is  requesting  it, 
so  it  must  be  the  best  thing  to  do.”  But  that 
kind  of  thinking  can  lead  to  requirements 
lists  that  are  unmanageable  and  unforgiv¬ 
ing.  Instead,  he  says,  IT  people  need  to 
develop  a  valuable  skill:  saying  no  with  a 
smile.  “Really  what  you’re  saying  is,  ‘Not 
yet,”’  Cumming  says. 

To  paraphrase  Daniele  Vare,  managing 
requirements— like  diplomacy— is  the  art 
of  letting  everybody  have  your  way. 

When  Cumming  reduced  his  army  of  40 
stakeholders  to  five,  he  admits  that  there 
were  some  “interesting  conversations” 
about  who  would  stay  in  primary  roles, 
noting  that  people  were  worried  they  were 
going  to  lose  features  they  felt  were  impor¬ 
tant  to  their  business  units.  To  ease  their 
fears,  Cumming  and  the  core  stakeholders 
created  a  “high-level  vision”  (a  summary  of 
the  most  important  functions)  for  the  proj¬ 
ect  and  spent  time  demonstrating  how  the 
final  project  lined  up  with  that  vision.  He 
also  showed  all  the  stakeholders  how  they 
would  get  at  least  some  value  from  the  proj¬ 
ect-even  if  they  weren’t  going  to  get  every 
single  detail  they  wanted. 

The  more  passive  stakeholders  were  also 
encouraged  to  become  more  active  as  the 


Analysts  report  that  as 
many  as  71%  of  software 
projects  that  fail  do  so 
because  of  poor  requirements 
management,  making  it 

the  single  biggest  reason 
for  project  failure. 
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“TOOLS  NEVER  FIXED  a  software  problem,"  says  Richard  Chennault, 
enterprise  architect  at  Kaiser  Permanente.  But  when  it  comes  to  managing 
the  requirements  process,  tools  can  be  a  help— assuming  good  processes  are 
already  in  place. 

Whether  you  subscribe  to  the  Rational  Unified  Process  and  own  the  complete 
suite  of  Rational  applications  or  simply  piece  together  your  own  toolset  from 
smaller  vendors  such  as  Borland  and  iRise,  tools  can  act  as  bearings  and 
guardrails  to  help  keep  your  requirements  process  moving  and  on  track. 

Some  examples: 

developed  by  Ward  Cunningham 

(who  also  invented  the  community-edited  online  Wikipedia),  is  a  platform  where 
requirements  are  literally  written  as  tests— for  a  requirement  to  be  met,  the  test 
must  pass.  And  FitNesse,  which  puts  a  wiki-like  interface  on  the  FIT  methodology, 
allows  business  users  (or  more  likely  business  analysts)  to  enter  requirements  into 
a  spreadsheet  interface  that  automatically  produces  test  cases  for  later  testing. 


ITlc  (used  by  Bank  of  Montreal)  lets  customers  and  business 
analysts  produce  simulations  and  tests  before  any  code  gets  written. 


(used  by  ADP)  is  a  requirements-management  tool  that 
breaks  requirements  into  functional  and  nonfunctional  (qualitative)  buckets,  cre¬ 
ates  graphical  storyboards  of  requirements  and  generates  test  documentation. 

_  (used  by  Bank  of  Montreal  and  Procter  &  Gamble)  integrates 
with  Mercury  Interactive’s  TestDirector  for  automated  testing. 


lets  companies  create  rich  prototypes  of  applications,  allowing, 
if  not  functional  tests,  at  least  visual  confirmation  that  requirements  are  being 
accurately  modeled.  “Short  of  having  a  simulation,  you  will  get  to  the  testing  phase 
and  have  misrequirements,”  says  David  Nix,  vice  president  of  online  banking  at 
Suntrust,  an  iRise  user. 


(used  by  Kaiser  Permanente)  allows  simplified  requirements 

modeling. 


But,  while  all  these  products  can  simplify  the  requirements  in  your  life,  “you 
have  to  focus  on  process  first,"  says  Chennault.  “You  can  do  all  this  stuff  with  a 
notepad  and  a  pencil  if  you  have  a  great  process."  -C.L. 


call  center  system  began  rolling  out.  When 
the  system  moved  into  their  departments, 
these  stakeholders  became  directly  respon¬ 
sible  for  sponsoring  any  necessary  appli¬ 
cation  changes  within  those  departments. 
This  task  was  assisted  by  the  intense  inter¬ 
est  that  senior  management  had  in  getting 
the  project  into  production.  Cumming  felt 
he  needed  to  know  who  really  wielded 


influence  in  the  company  (versus  what 
appeared  in  the  org  chart),  plus  he  wanted 
to  identify  stakeholders  with  sufficient 
technical  expertise  to  add  value  to  the 
requirements-gathering  process. 

“The  list  of  people  who  would  have  the 
most  to  contribute  to  a  requirement  list 
always  ends  up  being  small  in  my  experi¬ 
ence,”  Cumming  says. 


The  Rules  of  the  Roles 

Tired  of  his  company’s  hodgepodge  of 
requirements  practices,  Jesse  Hanspal, 
director  of  development  technology  serv¬ 
ices  at  Bank  of  Montreal  Financial  Group, 
decided  to  create  his  own  process  by  com¬ 
bining  pieces  of  existing  requirements  tech¬ 
niques  and  adding  a  quality  assurance 
process  as  well.  Hanspal  says  that  after  five 
years  of  effort,  the  bank  has  defined  the 
requirements  process  at  a  level  of  abstrac¬ 
tion  high  enough  that  it  can  be  applied  to 
any  project  or  problem.  After  much  con¬ 
sideration,  the  bank  decided  that  it  needed 
a  process  built  around  responsibility  and 
job  roles  in  order  to  guarantee  that  all  nec¬ 
essary  stakeholders  had  a  say. 

“It’s  important  to  get  all  the  stakehold¬ 
ers  around  the  table  and  get  the  require¬ 
ments  from  the  horse’s  mouth,”  Hanspal 
says.  And,  he  adds,  by  defining  stakehold¬ 
ers  according  to  their  roles,  you  get  a  more 
accurate  cross-section.  For  instance,  he 
says,  for  a  given  project,  you  need  repre¬ 
sentation  of  the  end  user  role,  of  course,  but 
also  of  the  application  administrator  role, 
not  to  mention  roles  related  to  security  and 
regulatory  compliance. 

Hanspal  notes  that  in  the  past  IT  spent 
10  percent  to  20  percent  of  its  time  and 
energy  on  defining  requirements.  “What 
we’ve  learned  is  that  once  you  have  defined 
a  process,  then  you  go  and  get  an  ISO  9000 
certification  for  that,”  he  says.  Having  the 
certification  lets  people  know  what  is 
required  of  them.  It  also  gives  the  bank  a 
chance  to  evaluate  effectiveness  and 
improve  the  process.  And  Hanspal  says  the 
new  process  has  produced  results.  For 
instance,  the  number  of  software  defects 
related  to  requirements  has  dropped  by 
some  50  percent  since  implementing  the 
new  controls. 

Bank  of  Montreal  also  wanted  to  make 
sure  that  its  analysts  had  the  skills  neces¬ 
sary  to  execute  the  new  process.  Unfortu¬ 
nately,  while  it  had  been  easy  to  find 
external  certification  for  project  manage¬ 
ment  (the  Project  Management  Institute) 
and  functional  testing  (the  Quality  Assur¬ 
ance  Institute),  no  similar  body  existed  for 
business  analysis.  So  the  bank  created  its 
own.  The  International  Institute  of  Busi- 
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ness  Analysis  now  boasts  some  800  inter¬ 
national  members,  Hanspal  says,  and  any 
company  can  send  analysts  for  training  in 
the  Bank  of  Montreal  approach. 

Going  Agile 

Given  the  trouble  companies  continue  to  have 
with  requirements,  some  practitioners  argue 
that  the  process  needs  to  be  more  flexible. 

Gregor  Bailar,  CIO  at  Capital  One,  is  a  con¬ 
vert  to  one  of  these  antiestablishment  philoso¬ 
phies:  agile  development.  Agile  development 


advocates  argue  that  old-style  requirements 
processes  are  too  rigid,  put  walls  between 
users  and  developers,  and,  given  the  ever- 
changing  nature  of  software  and  business, 
are  fated  to  fail.  Instead,  they  say,  developers 
and  users  should  sit  down  together  and  start 
coding  almost  immediately,  stopping  fre¬ 
quently  to  evaluate  progress  and  make  nec¬ 
essary  changes  based  on  user  input  without 
feeling  the  need  to  follow  a  monolithic 
requirements  document. 

“What  we  needed  wasn’t  more  process  but 
to  get  to  the  value  [in  a  project],”  Bailar  says. 


Capital  One  CIO  GREGOR  BAILAR  / 


is  a  fan  of  agile  development,  saying 


requirements  gathering  should  focus  IK; 


less  on  process  and  more  on  the 


project's  business  value. 


After  piloting  the  concept  in  early  2004, 
Bailar  began  forming  the  ultra-lean,  con¬ 
nected  teams  that  are  the  basis  of  the  agile 
method.  Agile  teams  at  Capital  One  generally 
consist  of  three  businesspeople,  two  opera¬ 
tions  people,  and  five  to  seven  IT  folks, 
including  a  business  information  officer  (in 
effect,  a  translator  who  works  between  the 
business  and  IT  sides),  a  project  manager 
and  at  least  one  of  the  80  developers  that 
Bailar  sent  to  formal  agile  training  classes. 
Along  the  way,  some  architects  and  security 
experts  will  add  their  skills  as  necessary. 
Each  team  gets  its  own  agile  coach  (one  of  20 
Bailar  hired)  to  keep  an  eye  on  the  proceed¬ 
ings  and  offer  advice  and  support.  Teams 
meet  in  dedicated,  open  rooms,  and  initial 
requirements  are  limited  to  a  goal  for  the 
project,  a  handful  of  cards  with  specific 
needs,  and  some  models  or  prototypes  for 
reference.  Teams  work  together  in  close 
quarters  throughout  the  project,  and  devel¬ 
opment  stops  regularly— perhaps  three  or 
four  times  in  a  typical  nine-week  develop¬ 
ment  cycle— to  assess  progress  and  deter¬ 
mine  if  changes  are  needed.  Larger  projects 
are  built  by  breaking  projects  down  into 
small  pieces  and  assigning  each  subsection  to 
an  agile  team  (the  method  is  sometimes  called 
“swarming”  in  agile  circles),  with  the  overall 
progress  controlled  by  a  project  manager. 

To  test  the  results  of  the  system,  Bailar 
took  several  in-development  projects  and 
switched  them  midstream  from  older  water¬ 
fall-style  development  to  “scrum,”  an  agile 
technique  that  prescribes  small,  flexible 
groups  that  include  developers  and  users 
and  divides  development  into  a  sequence  of 
30-day  “sprints.”  These  sprints  begin  with  a 
planning  meeting  and  end  with  the  group 
reviewing  test  results  before  the  start  of  the 
next  sprint. 

He  then  tracked  their  progress  against  the 
historically  expected  progress  of  the  older 
method,  and  he  was  happy  with  what  he 
saw.  Agile  reduced  development  time  by  an 
average  of  30  percent  to  40  percent  (some¬ 
times  nearer  to  50  percent)  while  simulta¬ 
neously  improving  the  quality  of  the 
deliverables.  He’s  sold,  though  he  acknowl¬ 
edges  that  agile  has  its  limitations. 

“There  are  lots  of  things  we  don’t  use  agile 
for,”  Bailar  says,  noting  that  the  method 
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CHANGING  THE  LANDSCAPE  OF 
BUSINESS  INTELLIGENCE! 


[Integrating  financial  management  and  BI  to  create  the  first  Business  Performance  Management  system.] 


INTRODUCING  HYPERION  SYSTEM™  9 


Now  you  can  attain  performance  visibility  and  take  immediate  action  to 
solve  business  problems  with  the  new  Hyperion  System  9.  Built  as  a  single 
modular  system,  Hyperion  System  9  increases  productivity  while  reducing 
risk  and  TCO.  It’s  straightforward  for  IT  to  integrate  with  database  and 
transaction  systems.  And  it’s  even  simpler  for  end-users  to  learn  and  use. 
See  the  launch  webcast:  www.hyperion.com/launch 
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excels  where  requirements  are  ambiguous 
and  priorities  are  unclear,  or  for  situations 
where  you  have  the  triple  constraint  of 
“faster,  cheaper,  better”  but  can’t  afford  to 
drop  one  of  the  three.  For  extremely  large 
projects  or  those  with  very  distinct  and 
ordered  requirements,  Bailar  says  more  tra¬ 
ditional  approaches  are  probably  a  better  fit. 


Every  Line  of  Code 
Connected  to  a 
Business  Process 

Robert  Sherman  might  not  see  it  that  way, 
however.  Sherman,  the  strategic  methods 
leader  for  IT  at  Procter  &  Gamble  Pharma¬ 
ceuticals,  isn’t  a  huge  fan  of  traditional 
approaches  to  requirements.  He  considers 
requirements  only  one  of  the  first  threads 
in  a  tapestry  that  includes  everything  from 
business  processes  to  a  finished  software 
application.  And  unless  IT  managers  begin 
to  realize  the  importance  of  this  intercon¬ 
nectedness,  he  warns,  countless  projects  will 
continue  to  crash  and  burn. 

Like  ADP’s  Cumming,  Sherman  had  a 
requirements  epiphany  in  the  late  1990s.  At 
the  time,  he  was  involved  in  an  effort  to  stan¬ 
dardize  all  of  P&G’s  ISO  factories  on  a  single 
factory-floor  information  management  sys¬ 
tem.  He  and  nine  other  experts  at  the  com¬ 
pany  compared  a  70-page  specification 
written  by  the  supplier  to  a  200-page 


requirements  document  written  by  P&G. 
Experts  and  vendor  alike  agreed  that  the 
document  contained  everything  necessary 
for  a  successful  project.  It  was  concise.  It  was 
complete.  It  also  “went  to  hell  in  a  handbas¬ 
ket,”  Sherman  says. 

Poking  through  the  rubble,  Sherman  at 
first  couldn’t  understand  what  had  gone 
wrong.  Why  had  the  seemingly  ideal  specifi¬ 
cation  failed  to  produce  a  suitable  applica¬ 
tion?  He  hired  a  contractor  who  spent  two 


months  tracing  every  requirement  to  every 
relevant  sentence  in  the  specification.  P&G 
found  that  30  percent  of  the  deliverables  were 
not  adequately  addressed.  And  from  what 
Sherman  could  tell,  the  misfires  were  a  result 
of  being  too  dependent  on  team  members’ 
recollection  of  document  comparison.  The 
supplier  had  looked  for  common  patterns 
that  it  could  duplicate  in  order  to  reduce  cod¬ 


ing  complexity.  To  Sherman  and  the  others 
reviewing  the  specification,  it  looked— on  the 
surface— as  if  those  patterns  matched  exactly 
to  the  requirements.  But  they  hadn’t.  The 
problem,  Sherman  eventually  decided,  was 
that  everyone  involved  had  simply  run  up 
against  the  limits  of  their  ability  to  compre¬ 
hend  extremely  complex  situations.  The 
management  tools  they  were  using  were 


Robert  Sherman’s  vision  was  to  trace  requirements  back  to 
every  affected  business  process  to  better  gauge  the  application’s 
impact  on  the  business  and  to  find  hidden  stakeholders. 
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also  unable  to  make  proper  connections 
between  deliverables  and  the  actual  business 
processes  they  would  support— connections 
that  would  have  highlighted  the  subtle  dis¬ 
tinctions  that  turned  success  into  failure. 

Frustrated  with  the  inability  of  require¬ 
ments  management  software  vendors  to 
address  the  overriding  disconnectedness 
he  felt  was  at  the  core  of  many  development 


problems  (not  just  this  one),  Sherman 
decided  to  build  a  system  using  his  own 
schema  and  a  collection  of  tools  that  now 
includes  Visio  and  Telelogic’s  Doors.  The 
premise,  he  says,  was  simple:  granular 
traceability.  His  vision  was  to  be  able  to 
take  a  piece  of  code  and  quickly  trace  it  back 
through  the  development  process,  back  to 
requirements  and  then— rather  than  stop¬ 
ping  there— map  it  all  the  way  back  to  every 
affected  business  process  to  better  gauge 
the  application’s  impact  on  the  business 
and  to  find  hidden  stakeholders. 

Getting  to  this  point  has  taken  five  years 
and  has  required  the  IT  team  to  gain  an 
encyclopedic  understanding  of  business 
processes,  but  the  results  have  been  worth¬ 
while.  Using  complex  pharmaceutical  proj¬ 
ect  lifecycle  management  tools  as  a 
benchmark,  Sherman  says  he  produced  the 
application  at  one-quarter  the  cost  and  with 
fewer  than  10  percent  of  the  expected 
defects  compared  with  outside  develop¬ 
ment  estimates.  Sherman  also  helped 
another  group  in  P&G  apply  the  technique 
to  a  teetering  ERP  implementation  that 


seemed  destined  for  failure  thanks  to  a 
never-ending  requirements  process.  By 
shifting  midstream  to  the  new  schema, 
however,  the  project  got  back  on  track  and 
now  looks  like  it  will  be  a  success,  he  says. 

The  P&G  schema  has  produced  numer¬ 
ous  side  benefits  as  well,  Sherman  adds. 
For  instance,  an  approach  called  “initiative 
scenarios”  helps  IT  teams  identify  poten¬ 


tial  enterprise-level  stakeholders,  with  the 
aim  of  converting  them  to  sponsors  before 
a  project  even  gets  under  way.  Since  every 
requirement  links  back  to  a  business 
process,  business-side  stakeholders,  devel¬ 
opers,  architects  and  analysts  can  trace 
their  way  through  the  organization,  identi¬ 
fying  groups  that  feel  an  impact  from  the 
new  application,  even  if  they  weren’t  the 
actual  end  users.  As  an  example,  Sherman 
points  to  an  Electronic  Lab  Notebooking 
(ELN)  application  (a  digital  data  collection 
tool  for  researchers)  that  P&G  had  been 
having  trouble  getting  rolled  out.  Previous 
attempts  at  justifying  and  delivering  the 
ELN  limited  the  requirements  analysis  to 
the  lab  bench  and  the  scientist  who  used 
the  notebook.  But  Sherman  was  able  to 
demonstrate  a  domino  effect  that  showed 
how  notebook  data  would  affect  acquisi¬ 
tions,  divestitures,  patent  filing  and  more. 
As  a  result,  the  IT  group  was  able  to  seek 
additional  sponsors  inside  the  organiza¬ 
tion,  and  the  project  is  heading  toward 
4,000  users. 

“If  you’ve  done  the  appropriate  joins  [to 


these  work  processes]  and  you  understand 
the  linkages  back  to  the  roles,  you  can  get  the 
clearance  ahead  of  time— or  kill  the  project  if 
you  don’t  have  the  buy-in,”  Sherman  says. 

The  schema  also  has  a  dramatic  impact 
on  compliance.  A  too-restrictive  view  of 
regulatory  issues  can  cripple  projects  in 
the  pharmaceutical  industry.  A  too-loose 
interpretation,  meanwhile,  could  open  the 
company  to  legal  action.  But  previous 
requirements  methodologies  at  the  com¬ 
pany  relied  more  on  gut  instinct  to  deter¬ 
mine  the  proper  balance.  Now,  Sherman 
says,  compliance  experts  can  trace  their 
legal  requirements  all  the  way  from  busi¬ 
ness  process  to  final  code  to  determine  if 
regulations  come  into  play.  And  the  schema’s 
chartlike  format  and  standardized  sentence 
structure  make  it  possible  for  just  about 
anyone  to  trace  a  path,  which  helps  users 
and  developers  prioritize  requirements 
based  on  which  ones  will  have  the  greatest 
impact  on  a  business  process. 

Even  so,  Sherman  says,  successfully 
using  the  schema  requires  a  couple  of  rules. 
Projects  must  be  broken  down  into  pieces. 
More  complex  applications  can  be  built 
by  combining  these  pieces,  but  Sherman 
believes  that  going  beyond  a  certain  level  of 
documentation  leads  only  to  more  docu¬ 
mentation— and  greater  complexity— 
instead  of  execution. 

Required  Thinking 

As  these  cases  show,  requirements  processes 
must  change,  and  CIOs  need  to  drive  the 
charge.  Fixing  your  broken  process  probably 
won’t  be  easy  or  quick,  so  start  now. 

“Today,  survival  depends  on  game 
changing— certainly  for  IT  it  does,”  P&G’s 
Sherman  says.  To  change  the  development 
game,  “IT  is  going  to  have  to  understand 
the  intersections  between  requirements 
and  business  processes.”  Failure  to  achieve 
that  understanding  could  have  dire  conse¬ 
quences,  he  warns. 

“If  you’re  not  rewriting  the  rules  of  the 
game,”  Sherman  says,  “then  you  deserve  to 
have  your  job  offshored.”  E0 


Technology  Editor  Christopher  Lindquist  can  be 
reached  at  clindquist@cio.com. 


“It’s  important  to  get  all 

the  stakeholders 
around  the  table 

and  get  the  requirements 
from  the  horse’s  mouth.” 

-Jesse  Hanspal,  Director,  Bank  of  Montreal  Financial  Group 
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Next  to  requirements,  testing  is  the  most  overlooked, 
most  underfunded,  most  rushed,  yet  most  critical 
aspect  of  the  software  development  cycle.  Here  are 
11  ways  to  boost  the  level  of  success. 


Three  years  ago,  Station  Casinos  came  up  with  a  great  promotion  to  lure 
customers:  $25  worth  of  free  slot  play  on  their  electronic  loyalty  cards.  It  worked  like 
a  charm  too.  Gamblers  flocked  to  the  casino  in  droves. 

BY  MERIDITH  LEVINSON  That  should  have  been  a  good  thing. 

But  one  Friday  night,  shortly  after  the  promotion  began,  when  players  inserted 
their  cards  into  the  slot  machines,  nothing  happened.  The  sheer  number  of  peo¬ 
ple  trying  to  access  the  machines— at  the  same  time  the  accounting  department 
was  running  a  number  of  financial  applications— caused  the  servers  that  stored 
all  the  promotional  information  to  freeze.  Irate,  players  threw  their  loyalty  cards 
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on  the  floor  and  raised  a  ruckus. 

That  was  a  bad  thing. 

The  source  of  the  problem?  Testing.  Marshall  Andrew,  Station  Casi¬ 
nos’  VP  of  information  technology  and  CIO,  says  Station  Casinos 
never  anticipated  such  an  overwhelming  response  to  the  promotion. 
Consequently,  IT  did  not  test  the  system  for  such  large  volumes  of 
activity,  and  certainly  not  while  other  programs  were  running.  Station 
lost  the  cash  they  would  have  made  that  Friday,  alienated  customers 
and  had  to  run  another  campaign  to  apologize;  the  casino  invited 
some  customers  to  return  another  weekend  for  $50  worth  of  free  slots. 

The  moral:  Testing  is  essential  to  developing  high-quality  software 
and  to  ensuring  smooth  business  operations.  It  can’t  be  given  short 
shrift;  the  consequences  are  too  dire.  Businesses— and,  in  some  cases, 
lives— are  at  risk  when  a  company  fails  to  adequately  and  effectively 
test  software  for  bugs  and  performance  issues,  or  to  determine 
whether  the  software  meets  business  requirements  or  end  users’ 
needs.  (See  “The  High  Cost  of  Flawed  Testing”  on  Page  66.) 

“The  important  thing  when  you  roll  out  a  system  is  to  make  sure  it 
works,”  says  Andrew,  who  has  made  significant  changes  to  his  testing 
organization  (known  as  quality  assurance,  or  QA)  since  then.  First,  he 
changed  the  testing  process  itself.  Previously,  developers  had  a  great 
deal  of  freedom  to  change  code  while  it  was  being  tested  to  keep  the 
project  moving.  Now,  there  are  tight  controls  on  the  developers’  access 


to  test  code.  To  keep  everyone  honest,  Andrew  had  the  QA  specialists 
begin  reporting  to  the  business  analyst  group  rather  than  to  the  devel¬ 
opment  group,  whose  work  it  was  evaluating.  Next,  he  hired  more 
QA  specialists— with  business  training— and  involved  them  in  the 
development  process  earlier,  when  business  analysts  are  creating 
requirements  documents,  so  that  they  can  then  develop  test  scripts 
based  on  business  specifications  right  from  the  beginning. 

The  following  list  of  best  practices  for  testing  software  and  run¬ 
ning  your  testing  organization  were  gleaned  from  interviews  with 
companies  that  have  rigorous  testing  needs  and  standards.  These  tips 
go  beyond  the  “test  early  and  often”  mantra  and  will  improve  your  IT 
organization’s  testing  capabilities— not  to  mention  the  quality  of  the 
software  you  release. 

Respect  your  testers.  In  many  companies,  testing  is  an 
entry-level  job.  As  a  result,  testing  isn’t  done  well.  Instead  of  hiring 
people  off  the  turnip  truck,  recruit  candidates  who  are  detail- 
oriented,  methodical  and  patient.  Look  for  people  who  know  how  to 


code.  Your  developers  will  respect  them  more,  and  they  can  code 
some  of  their  own  testing  tools.  “If  the  development  organization 
and  the  QA  organization  don’t  respect  each  other,  we  won’t  be  able  to 
achieve  our  high-level  quality  goals,”  says  eBay’s  VP  in  charge  of 
QA,  David  Pride. 

Colocate  your  testers  and  developers.  Putting 
developers  and  testers  together  goes  a  long  way  toward  improving 
communication  between  two  groups  that  often  lock  horns  (after  all, 
testers  are  paid  to  find  fault  with  developers’  work).  Physical  prox¬ 
imity  “facilitates  the  nuances  of  testing”  that  are  best  communicated 
through  personal  interaction  rather  than  by  e-mail  or  an  application 
development  workflow  tool,  says  Pride. 

Set  up  an  independent  reporting  structure.  Test¬ 
ing  should  not  report  to  any  group  that’s  evaluated  on  meeting  dead¬ 
lines  or  keeping  costs  down  for  a  project,  according  to  John  Novak, 
senior  VP  of  hotel  chain  La  Quinta.  Having  testers  report  to  the 
development  group  is  the  worst  choice  of  all,  Novak  says.  If  devel¬ 
opers  are  behind  or  having  trouble  with  code,  they  will  be  tempted 
to  keep  testers  out  of  the  loop.  Instead,  Novak  has  testers  report 

directly  to  him.  Andrew  has  testing  report 
into  his  business  analyst  group  as  a  way  to 
foster  communication  and  to  get  testers 
involved  in  the  development  lifecycle  early. 


Dedicate  testers  to  specific 
systems.  At  Barnes  &  Noble,  one  group  of 
testers  focuses  on  store  systems,  while  others 
tackle  financial  and  warehouse  systems. 
Barnes  &  Noble  CIO  Chris  Troia  says  focus¬ 
ing  testers  on  one  set  of  systems  deepens  their  understanding  of  how 
those  systems  are  supposed  to  work  and  gives  them  the  expertise  to 
identify  problems  that  might  not  show  up  in  a  formal  test  document. 
EBay  takes  the  same  approach,  but  goes  one  step  further.  The  company 
has  three  distinct  testing  groups:  one  for  site  functionality,  one  for 
payments  and  one  for  data  warehousing  applications. 

Give  them  business  training.  Station  Casinos’  Andrew 
makes  members  of  his  testing  department  work  the  front  desk,  the 
casino  floor  and  in  different  corporate  departments  so  they  can  learn 
the  lingo  and  better  understand  the  systems  they’re  testing.  (Most  of 
his  125-person  IT  staff  had  never  placed  a  bet  on  a  sporting  event  at 
a  casino  prior  to  joining  the  company.) 

Allow  business  users  to  test  too.  Most  testing  involves 
banging  on  systems  and  fiddling  with  code— technical  stuff— which 
can  tempt  IT  to  leave  business  users  out  of  the  loop.  Bad  mistake.  At 
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La  Quinta,  “the  testers  are  always  coming  out  of  the 
business  community,”  says  Novak,  to  ensure  that  the 
systems  IT  is  developing  meet  their  specs.  For  some 
applications,  especially  those  that  run  in  hospitals,  get¬ 
ting  end  users  to  test  applications  is  a  matter  of  life  and 
death.  “Technology  people  can  only  go  so  far,”  says  Patri¬ 
cia  Skarulis,  vice  president  of  information  systems  and 
CIO  of  Memorial  Sloan-Kettering  Cancer  Center.  “We 
need  to  have  users  involved.” 


The  High  Cost  of  Flawed  Testing 

A  brief,  sad  but  instructive  history  of  futility  and  failure 

■  Bugs  in  connections  between  Hewlett-Packard’s  legacy  order-entry  system 
and  SAP  systems  caused  a  backlog  of  customer  orders  for  servers  begin¬ 
ning  in  June  2004.  The  computer  problems  and  resulting  backlog  cost  the 
company  $40  million  in  lost  revenue. 


Involve  network  operations.  Nate  Hay¬ 
ward,  vice  president  and  director  of  quality  manage¬ 
ment  with  HomeBanc  Mortgage,  says  that  during 
testing,  his  company’s  network  operations  group  uses 
a  software  tool  (Compuware’s  ServerVantage)  to  mon¬ 
itor  servers  for  performance  issues  that  could  origi¬ 
nate  from  the  way  hardware  or  software  is  configured. 

Involving  the  network  operations  experts  in  testing 
also  gives  them  the  opportunity  to  rehearse  a  deploy¬ 
ment  before  a  system  goes  into  production,  ensuring 
that  the  actual  implementation  will  proceed  smoothly. 

Build  a  lab  that  replicates  your  busi¬ 
ness  environment.  Four  years  ago,  Station  Casi¬ 
nos  built  a  costly  test  lab  that  looks  like  a  minicasino 
with  slot  machines,  point-of-sale  terminals  and  Web- 
based  kiosks  that  simulate  the  computing  environ¬ 
ments  at  all  13  of  Station  Casinos’  properties.  Ninety 
percent  of  the  applications  the  company  runs,  including 
wireless  apps,  are  duplicated  in  the  test  lab.  For  the 
other  10  percent  of  applications,  which  are  too  big  or  complex  to  cre¬ 
ate  an  exact  testing  replica,  Andrew  comes  up  with  a  scaled-down 
subset  of  the  app  to  predict  how  it  will  run  when  it’s  fully  rolled  out. 
Or  he  gets  help.  With  Station  Casinos’  last  system  rollout,  he  used 
Microsoft’s  test  labs  to  run  simulation  models. 

Develop  tests  during  the  requirements  phase. 
Companies  traditionally  have  waited  to  do  testing  until  requirements 
have  been  established  and  coding  has  begun— or  finished.  A  growing 
school  of  thought  says  that  testing  can  still  be  done  effectively  even  if 
the  requirements  have  not  been  developed  fully.  Fans  of  “agile  pro¬ 
gramming”  (see  “Fixing  the  Requirements  Mess,”  Page  52)  believe 
that  testing  should  be  done  continually  from  the  beginning  of  the 
project  until  the  end. 

Test  the  old  with  the  new.  EBay  uses  a  statistical 
analysis  tool  it  built  in-house  to  compare  defects  discovered  by 
testers  to  the  code  that  was  tested  during  a  particular  testing  cycle. 
The  goal  is  to  make  sure  that  previously  tested  pieces  of  software  still 
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A  failure  to  test  for  specific  conditions  contributed  to  the  August  2003 
blackout  that  affected  much  of  the  northeastern  United  States  and  parts 
of  Canada. 

Insufficient  testing  was  one  of  the  causes  of  Nike’s  failed  i2  demand  fore¬ 
casting  software  implementation  in  June  2000,  which  reportedly  cost  the 
company  more  than  $100  million  in  lost  sales. 

EBay’s  22-hour  outage  in  1999  prompted  the  online  auctioneer  to  reengi¬ 
neer  its  technology  organization,  including  systems  architecture  and  devel¬ 
opment,  and  testing  approaches. 

Glitches  in  the  software  controlling  London’s  emergency  response  system 
(London’s  version  of  911)  resulted  in  ambulances  being  dispatched  to  the 
wrong  locations  and  citizens  not  getting  proper  medical  care  in  a  timely 
manner  in  1992. 

During  the  1980s,  the  user  interface  of  a  computerized  radiation  therapy 
machine,  the  Therac-25,  was  not  adequately  tested,  and  undetected  bugs 
in  the  device’s  radiation  administration  engine  made  it  possible  for  techni¬ 
cians  to  program  the  wrong  doses  of  radiation.  As  a  result,  several  patients 
died  or  sustained  serious  injury  from  overexposure.  -M.L. 


work  properly  when  new  features  are  added.  Pride  says  the  statisti¬ 
cal  analysis  tool  pinpoints  where  testers  need  to  add  test  cases  in  the 
current  project  and  also  helps  determine  the  overall  effectiveness  of 
current  regression  tests  for  forthcoming  software  projects.  EBay 
needs  to  continually  refine  the  tests  because  some  new  projects  may 
contain  the  same  functionality  as  previous  projects.  The  better  those 
tests  can  be,  the  better  future  projects  will  be. 

Apply  equivalence  class  partitioning.  This  is  a 
mathematical  technique  that  testers  can  use  to  identify  additional 
functional  requirements  that  business  analysts  and  users  might 
have  overlooked  or  not  articulated,  says  Magdy  Hanna,  chairman 
and  CEO  of  the  International  Institute  for  Software  Testing.  He  says 
equivalence  class  partitioning  gives  testers  a  clear  picture  of  the 
number  of  test  cases  they  need  to  run  to  adequately  exercise  all  of  a 
system’s  functional  requirements.  Pride  says  equivalence  class  par¬ 
titioning  is  one  way  his  group  can  determine  all  the  ways  in  which 
eBay’s  157  million  users  might  use  its  online  auction  platform.  K3Q 


Senior  Writer  Meridith  Levinson  can  be  reached  at  mlevinson@cio.com. 


MicroStrategy  is  #1  in 

Customer  Loyalty 

in  the  Business  Intelligence  Market 


In  a  recent  industry  survey  that  measured  customer  loyalty, 
MicroStrategy  outscored  all  of  the  competition. 


1  MicroStrategy 

2  Applix  TM1 

3  SAP  BW 

4  Microsoft  AS 

5  MISAlea 

6  Oracle  OLAP  Servers 

7  Business  Objects 

8  Hyperion  Essbase 

9  Oracle  Discoverer 
10  Cognos  PowerPlay 
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The  OLAP  Survey  4  measures  nearly  1 ,000  customer  sites  and  is  the  largest  independent  survey  of  business  intelligence  (Bl)  products.  It  is  conducted  annually  by  Survey.com  and  industry  analyst,  Nigel  Pendse 
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Report.  Analyze.  Monitor. 


Today,  thousands  of  organizations  worldwide  depend 
on  MicroStrategy  to  report,  analyze,  and  monitor  their 
mission-critical  business  data.  According  to  independent 
surveys,  MicroStrategy  customers  access  the  largest 
databases,  have  the  largest  business  user  populations, 
and  report  higher  business  benefit  from  their  business 
intelligence  applications. 


MicroStrategy  has  been  hailed  by  industry  analysts  for  its 
uniquely  integrated  architecture,  its  user  and  data  seal- 
ability,  and  its  dramatic  ease  of  use.  It  gives  business  users 
integrated  dashboards,  reporting,  and  analysis  they  desire 
and  provides  IT  staff  an  easily  maintainable  industrial- 
strength  business  intelligence  platform  they  need. 


For  your  Free  Evaluation 
Software,  visit  us  at 
www.microstrategy.com/CD 


888.537.8135 
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Wayne  Luthringshausen 

chairman  and  CEO  of  The 
Options  Clearing  Corp., 
wanted  his  IT  group  to  stop 
putting  out  fires  and  move 
forward  with  a  new  system 
to  help  the  company  keep 
up  with  its  clients'  changing 
technology. 
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View  from  the  Top 


The  CEO  of  The 
Options  Clearing 
Corp.  knows  his 
company  lives  or 
dies  by  the  strength 
of  its  IT.  Maybe  that’s 
why  he  isn’t  so  hung 
up  on  cutting  costs 
and  hitting  deadlines. 

BY  BEN  WORTHEN 
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View  from  the  Top 


WAYNE  LUTHRINGSHAUSEN  is  chairman  and  CEO  of  The 
Options  Clearing  Corp.  (OCC),  a  clearinghouse  for  options, 
futures,  derivatives  and  other  complex  financial  trades. 
The  company,  which  is  jointly  owned  by  some  of  the  coun¬ 
try’s  largest  options  exchanges,  processes  over  5  million 
contracts  on  an  average  day  Its  customers— approximately 
130  financial  services  firms— can’t  put  up  with  any  down¬ 
time.  Luthringshausen  depends  on  IT  to  get  this  done.  “Our 
systems,  the  hardware  they  operate  on  and  the  wires  that 
connect  them,  that’s  our  factory,”  he  says.  “We  don’t  have  a 
business  without  it.”  Correspondingly,  IT  employees  make 
up  almost  two-thirds  of  the  company.  In  April,  OCC  went 
live  with  a  fourth-generation  transaction  processing  system 
that  cost  $100  million  and  took  five  years  to  install. 


Luthringshausen  needs  to  get  his  budget 
approved— and  ultimately  provided— by  his 
customers.  As  a  result,  a  large  part  of  his  job 
is  to  serve  as  an  intermediary  between  IT  and 
those  clients.  Luthringshausen  spoke  with 
CIO  about  how  he  fulfills  that  role  and  works 
with  his  executive  team,  including  the  CIO. 
He  also  offers  some  surprising  insight  on  how 
CEOs  view  IT  expenditures.  Hint:  Coming  in 
on  budget  is  not  always  the  be-all  and  end-all. 

CIO:  Do  you  find  yourself  having  to 
defend  your  IT  department  to  your 
customers? 

Wayne  Luthringshausen:  That’s  how  I’ve 
viewed  my  job  all  along.  If  IT  screws  up,  I’ll 
tell  my  clients  that  we’ve  screwed  up  and 
we’re  going  to  solve  the  problem.  But  the 
other  side  of  it  is  that  I  don’t  think  my  board 
should  be  beating  up  on  my  IT  folks.  I  have 
to  be  an  advocate,  because  we’re  doing  a 
good  job.  For  example,  I  went  to  a  bar  one 
night  after  a  function,  and  one  of  our  clients 
was  there.  He  yells  down  the  bar  at  me, 
“Luthringshausen,  you’ve  got  the  lousiest  IT 
operation  anywhere  in  the  world!”  That  took 
me  aback— it’s  not  the  best  way,  but  it’s  one 
way  to  get  feedback.  The  issue,  it  turned  out, 
is  that  every  night  we  process  the  day’s 
transactions,  and  our  agreement  is  that  we 
get  the  results  to  our  clients  by  midnight.  So 
we’ve  built  our  system  to  be  able  to  deliver 


on  a  peak  night,  when  the  volume  is  sub¬ 
stantially  higher  than  average.  As  a  result, 
most  nights  we  deliver  around  10  p.m. 
When  that  night  comes  where  he  gets  them 
at  1  a.m.,  in  his  mind,  I’ve  missed. 

As  the  CEO,  how  do  you  stay  on  top  of 
complaints  like  that,  as  well  as  ones 
that  address  fundamental  weaknesses 
with  your  IT? 

There  are  two  ways.  Our  clients,  the  Merrill 
Lynches  and  the  Goldman  Sachs,  are  very 
technologically  astute,  and  if  we  fall  too 
many  technology  generations  behind  them, 
we’re  not  going  to  be  able  to  provide  the  kind 
of  information  services  they  need  in  order  to 
trade.  So  for  me,  it  starts  with  noticing  that 
our  customers  want  to  do  more  and  realizing 
that  we  can’t  do  those  things  inexpensively 
and  efficiently. 

For  example,  options  expire  on  the  third 
Saturday  of  every  month.  It’s  a  busy  day,  and 
there’s  usually  a  heavy  volume  of  transac¬ 
tions.  Over  that  weekend  we  reconcile  all  the 
transactions  that  were  made  and  expire  all 
the  contracts  that  aren’t  exercised.  Every¬ 
body  in  the  industry  works  that  Saturday. 
Well,  our  old  system  was  a  dumb  terminal,  so 
if  you  worked  for  Merrill  Lynch  you  had  to  go 
all  the  way  downtown  to  use  the  machine  for 
what  really  is  just  a  half  hour  of  work.  So  of 
course  everyone  was  asking,  “Why  can’t  I 
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just  get  on  my  laptop  at  home  and  log  on  to  a 
website?”  When  you  get  enough  questions 
like  that  you  start  to  realize  that  you’re  out  of 
touch  with  your  clients  and  the  way  they’re 
conducting  business.  That’s  when  I  start  to 
look  at  redoing  the  systems. 

I  also  look  for  internal  things.  Our  U.S. 
options  volume  has  been  growing  at  20  per¬ 
cent  a  year,  and  the  bigger  it  gets,  the  more 
recognizable  our  problems  become.  And  the 
ramifications  are  bigger  when  you’re  doing 
5  and  a  half  million  contracts  a  day  than 
when  you’re  doing  a  million.  We  have  about 
50  quality  standards  to  help  us  measure 
how  we  are  doing.  If  we  miss  one,  odds  are 
I’m  not  going  to  hear  about  it.  But  you  miss 
two,  or  miss  one  for  several  months  in  a  row, 
everyone  hears  about  it.  Suddenly  you’re  not 
just  dealing  with  a  miss,  you  have  a  weak¬ 
ness  you  have  to  address.  People  come  to  me 
with  money  requests,  because  we  need  to 
add  this  or  that.  We  make  a  lot  of  changes, 
we’ve  fixed  this,  fixed  that,  patched  here.  One 
day,  you  sit  up  and  you  say,  “Guys,  it  just 
seems  like  our  systems  aren’t  what  they 
ought  to  be  for  the  kind  of  business  that 
we’re  doing  today.  Let’s  take  a  look  at  that.” 

Was  there  a  specific  moment  that  you 
knew  it  was  time  for  a  new  system? 

There  wasn’t  a  particular  incident,  it  was 
more  a  series  of  incidents  and  events  that  get 
you  to  a  point  where  you  realize  you  have  to 
move  on.  What  I  noticed  was  that  our  tech¬ 
nology  management  group  had  become 
much  better  at  putting  out  fires  than  at  cre¬ 
ating  [new  systems].  You  get  to  a  point  where 
you  are  patting  people  on  the  back  for  having 
gotten  you  out  of  trouble  last  night,  when  it  is 
partly  their  fault  that  you  had  the  problem 
because  they  are  not  ready  to  move  on.  When 
someone  has  worked  on  something  for  so 
long,  it  can  become  their  baby.  Instead  of 
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If  You  Build  It,  They  May  Not  Come... 


But,  they  are  coming  to  BroadVision-powered  sites. 
Some  at  over  3,000  new  users  per  week! 

BroadVision  sites  are  proven  to  attract  a  high-volume  of  users 
and  to  maintain  peak  performance  as  your  website  traffic  grows. 

Contact  renee.huber@broadvision.com  to  receive  success  stories  on  how 
Cardinal  Health,  Circuit  City,  hpshopping,  the  United  States  Air  Force  and  other 
global  leaders  are  using  BroadVision  for  reliability,  scalability  and  performance. 


BroadVision 

Energizing  e  Business 


View  from  the  Top 


“I’d  rather  spend  $100  million  and  have 
the  new  system  work  than  spend 
$75  million  and  not  have  it  work.” 


-WAYNE  LUTHRINGSHAUSEN, 
CHAIRMAN  AND  CEO, 
THE  OPTIONS  CLEARING  CORP. 


thinking  about  the  next  baby,  they  can  only 
think  about  fine-tuning  the  current  one. 
That’s  the  epiphany  that  I  came  to. 

As  we  were  moving  along  [with  Encore, 
the  new  transaction-processing  system  that 
went  live  in  its  entirety  in  April],  it  became 
apparent  that  we  needed  to  move  the  project 
out  from  under  that  management  group.  They 
did  an  awesome  job  of  making  the  old  system 
run  a  long  time,  but  they  had  gotten  into  a 
defensive  mode,  and  it  is  hard  to  do  a  major 
project  when  the  whole  management  team  is 
like  that.  I  had  to  move  the  old  CIO  out,  and  we 
had  a  strategic  executive  manage  the  project 
for  a  while.  We  wanted  to  get  rid  of  as  much 
negative  energy  in  IT  as  possible  before  we 
brought  in  a  new  CIO.  We  wanted  someone 
who  could  come  in  with  a  fresh  view.  When 
we  hired  the  new  CIO  [a  year  and  a  half  ago] 
he  walked  into  the  middle  of  the  project. 

Encore  was  a  five-year,  $100  million 
project.  How  did  you  stay  on  top  of  it,  or 
did  you  leave  all  of  that  to  the  CIO? 

During  Encore,  I  went  over  what  was  working 
well  and  what  was  going  poorly  at  least  once 
a  week  with  the  project  manager,  the  COO 
and  the  CIO.  Also,  my  CIO’s  office  is  catty-cor¬ 
ner  to  mine.  We  see  each  other  every  day,  and 
he  would  have  to  make  a  real  concerted  effort 
to  hide  something  from  me.  I  also  hired  an 
auditor  to  come  in  and  do  some  checks  for  our 
board.  We  wanted  to  get  an  outside  opinion  on 
what  was  working,  what  wasn’t  and  where 
we  had  more  risk  than  we  should  have.  We 
got  that  report  every  couple  of  months.  It  was 
a  check-and-balance  for  the  board. 

You  know  what  though?  We  hired  the 
wrong  guys  [as  auditor].  They  reported 
things  as  being  in  trouble  that  weren’t  in 
trouble.  So  we  had  to  get  another  auditor  in  to 


audit  the  auditor.  If  you  hire  the  right  people, 
it’s  a  great  way  to  get  an  independent  view,  to 
find  out  if  your  people  are  lying  to  you.  In 
our  case,  our  people  were  clearly  telling  us 
the  truth,  and  in  the  end  we  found  that  out. 

Your  customers  depend  on  you  to  keep 
your  systems  up  all  the  time.  As  the 
CEO,  how  did  you  ensure  that  you  could 
stay  up  while  doing  a  major  upgrade 
like  the  Encore  project? 

For  me  the  most  important  thing  is  the 
soundness  of  our  business.  And  it’s  my  job 
to  set  the  tone  for  that— for  example,  saying 
to  the  CIO  that  if  the  system  goes  down  we 
need  to  be  up  and  running  in  two  hours. 
When  we  decide  to  take  risk— and  putting  in 
place  a  new  system  is  definitely  a  risk— we 
have  to  mitigate  it  as  best  we  can  with  all  the 
additional  processes,  resources,  checks  and 
balances,  testing  and  double-testing  it  takes 
so  we  are  confident  that  the  thing’s  going  to 
work  when  we  start  to  use  it. 

I  hear  about  organizations  that  are  doing 
these  big  systems  that  run  into  all  kinds  of 
problems.  I’d  rather  go  into  the  boardroom 
and  say,  “Guys,  if  we  were  a  for-profit  com¬ 
pany,  we  might  try  to  do  it  for  $75  million. 
But  it’s  going  to  take  us  $100  million.” 
Because  we  have  to  be  absolutely  certain  it 
works,  and  I’d  rather  spend  $100  million  and 
have  it  work  than  spend  $75  million  and  not 
have  it  work,  and  then  have  to  spend  another 
$100  million  to  get  something  that  actually 
does.  I  never  like  to  brag  about  IT,  because  it 
comes  back  to  bite  you,  but  with  Encore, 
every  one  of  our  installs  worked.  And  now 
that  they  are  in  full-time  production,  they 
still  work.  I  think  the  reason  is  that  we  said 
we’re  going  to  spend  more  money  at  the  front 
end  of  this  thing  to  make  sure  it  works. 


But  CIOs  are  trained  to  try  to  deliver  on 
time  and  under  budget.  Are  you  advo¬ 
cating  a  mind-shift? 

Our  CIO  came  from  a  larger  company  with 
a  much  different  kind  of  environment,  and 
it  took  him  a  good  six  months  to  recognize 
how  we  look  at  this  stuff.  When  he  first 
came  in  he’d  say,  “Hey,  I  want  to  get  this 
thing  done  in  half  the  time,”  but  he’s  sitting 
in  a  room  with  a  bunch  of  people  that  have 
been  here  for  five  years  and  can  say,  “Whoa. 
Could  I  just  talk  to  you,  sir?”  It  sounds 
unbelievable,  I  guess,  but  remember,  I’ve 
been  here  for  35  years,  and  this  culture’s 
been  around  for  35  years.  I  want  my  CIO  to 
know  that  his  focus  shouldn’t  be  on  profits, 
it  should  be  on  pulling  off  a  project  safely 
and  soundly.  So,  yeah,  the  cost  for  us  is 
probably  a  little  higher,  but  we  accept  that 
within  certain  parameters.  Over  the  years 
you  get  a  pretty  good  sense  of  when  the  cost 
is  wacko  and  when  the  cost  makes  some 
rational  sense. 

On  April  15,  which  is  just  after  Encore 
launched,  you  guys  processed  11  mil¬ 
lion  contracts,  which  is  double  an  aver¬ 
age  day.  Were  you  nervous? 

The  system  went  live  in  phases,  so  it  wasn’t 
all  brand-new.  But  we  knew  we  were  going 
to  be  stressed  during  the  day  since  volume 
for  everything  was  up.  It  was  all-hands-on- 
deck— we  sat  there  watching  the  CPUs.  We 
got  hit  pretty  heavy,  but  we  handled  it.  And 
nobody  knew  we  were  staring  at  the  com¬ 
puter.  Our  view  now  is  that  we  are  headed  to 
that  kind  of  volume  more  regularly.  And  we 
won’t  have  any  problem  handling  it.  BE1 


Senior  Writer  Ben  Worthen  can  be  reached  at 
bworthen@cio.  com . 
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Business  Intelligence  made  a  promise:  to  make  it  simple  for  everyone  to  use  information  to  make  better 
decisions.  But,  given  your  complex  IT  infrastructure,  the  reality  of  getting  a  single  BI  standard  in  place  across 
the  company  has  been  anything  but  simple.  Until  now. 

Introducing  Cognos  8  Business  Intelligence,  the  one  solution  built  to  break  down  the  barriers  limiting  BI’s 
potential.  With  a  complete  Web  Services-based  SOA.  A  simple  browser-based  interface.  A  full  range  of  BI  capabilities 
—  reporting,  analysis,  scorecarding,  dashboarding  and  more  —  all  in  a  single  product  and  on  a  single  architecture. 

And  the  BI  foundation  for  companies  demanding  a  simpler  path  to  a  complete  performance  management  system. 

It’s  everything  BI  promised  to  be.  And  now,  it’s  here. 

To  learn  more  and  to  find  out  where  you  can  preview  Cognos  8,  go  to  cognos.com/simple 

COGNOS  8  BUSINESS  INTELLIGENCE.  rArki^c 

THE  NEXT  LEVEL  OF  PERFORMANCE™ 


Copyright  ©  2005  Cognos  Incorporated.  All  rights  reserved. 


The  first  time 

Farrell  Delman  out 
sourced  application 
development  to  an  IT 
services  company  in 
India,  the  relationship  was  far  from  the 
mutually  beneficial  partnership  he  had 
hoped  for.  As  president  and 
CIO  of  the  Tobacco  Mer¬ 
chants  Association  (TMA), 
an  information  aggregator 
and  distributor  for  the 
tobacco  industry,  Delman 
needed  an  outsourcer  to 
develop  a  content  manage¬ 
ment  system  to  handle  the 
organization’s  ever-grow¬ 
ing  library  of  electronic  information.: 
So  in  2000,  he  signed  a  contract  with  a 
large  IT  services  provider  in  India  that 
said  it  could  complete  the  project  for 
just  $256,000,  instead  of  the  $1.65  mil-: 
lion  it  would  cost  TMA  to  do  the  work 
in-house. 

Unfortunately,  the  outsourcer  had  lit¬ 
tle  experience  with  content  management 
systems,  Delman  says,  and  developers 
spent  much  of  their  time  learning  on  the 
job  on  TM  As  dime.  The  outsourcer  had 
underestimated  the  amount  of  work  it 
would  take  to  develop  the  application 
and,  therefore,  had  underbid,  he  says. 
“A  lot  of  what  they  considered  their 
‘design’  of  the  application  amounted  to 
attempting  to  fit  round  pegs  into  square 
holes  in  order  to  save  time  and  money,” 
recalls  Delman.  The  size  of  the  vendor 
was  also  an  issue.  It  had  several  big  cus¬ 
tomers,  but  TMA  wasn’t  one  of  them. 


Vi 


_ trail  II  i] 

Part  2  of  a  three-part  series  about  outsourcing  strategies 
nd  success  models,  defined  in  original  research  by  MIT’s 
enter  for  Information  Systems  Research  and  CIO. 


Working  with  offshore  partners  requires  CIO  oversight  and 

strong  capabilities  on  both  sides 


Reader  ROI 

::  Why  co-sourcing  alliances 
fail  37  percent  of  the  time 

::  The  three  must-dos  for  a  suc¬ 
cessful  co-sourcing  alliance 

::  Why  offshoring  relationships 
take  a  long  time  to  develop 


Despite  frequent  trips  to  India,  Delman  felt  ignored.  What  attention  was  paid  to  TMA 
was  focused  solely  on  coding,  he  says.  “The  people  assigned  to  the  project  were  very 
skilled  in  IT,  but  they  didn’t  spend  a  lot  of  time  getting  to  know  our  business  model,” 
says  Delman.  And  given  that  TM  A’s  business  depended  on  this  content  management 
system,  that  was  a  problem. 

Ultimately,  the  project  came  in  on  budget.  But  that  was  the  only  bit  of  good  news 
to  be  had.  The  project  took  seven  months  longer  than  expected  to  complete.  The 
content  management  system  was  not  aligned  with  the  business 
needs  of  TMA  and  lacked  the  flexibility  Delman  was  seeking,  he 
says.  And  ongoing  maintenance  for  the  application  proved  difficult 
and  expensive. 

Delman’s  experience  is  not  unique.  He  was  attempting  to  pull  off 
what  Jeanne  W.  Ross,  principal  research  scientist  at  MIT’s  Center  for 
Information  Systems  Research  (CISR),  calls  a  “co-sourcing  alliance,” 
in  which  client  and  vendor  jointly  manage  projects— usually  appli¬ 
cation  development  or  maintenance  work  that  goes  offshore.  Unlike 
outsourcing  deals  in  which  a  CIO  hands  off  a  discrete  piece  of  com¬ 
moditized  or  repeatable  work  to  a  vendor— what  Ross  terms  a  transaction  rela¬ 
tionship— co-sourcing  alliances  rely  on  a  symbiotic  relationship  between  client 
and  vendor.  (To  learn  how  CIOs  should  approach  transaction  relationships,  see 
“Simple  and  Successful  Outsourcing”  at  www.cio.com/10010S.) 

Co-sourcing  works  out  for  the  client  63  percent  of  the  time,  according  to  a  recent 
study  by  CISR  and  CIO.  Transaction  relationships,  by  comparison,  have  a  90  percent 
success  rate.  (A  third  type  of  outsourcing  identified  in  the  CISR  -CIO  study,  strategic 
partnerships,  works  out  half  the  time  but  goes  sour  in  the  other  half  of  cases.) 

The  mistake  that  CIOs  such  as  Delman  make  with  co-sourced  projects  is  failing 
to  set  them  up  as  partnerships  in  the  truest  sense  of  the  word.  Co-sourcing,  which 
draws  on  both  the  vendor’s  specialized  technical  knowledge  and  the  client’s  deep 
business  knowledge,  succeeds  only  when  both  parties  have  strong  capabilities  and 
the  relationship  is  set  up  so  that  those  capabilities  can  mesh  for  the  greater  good. 
Co-sourcing  that  is  treated  like  anything  but  a  team  sport  is  bound  to  fail,  says  Ross. 
Delman  says  his  vendor  did  not  bring  the  right  technical  skills  and  brushed  aside 
the  client’s  knowledge  of  the  business.  The  project  was  a  bust. 

Despite  less  than  stellar  success  rates,  CIO  interest  in  co-sourcing  alliances 
remains  high.  And  why  not?  Done  right,  you  can  gain  access  to  a  vendor’s  highly 
trained  technologists  and  project  managers  when  you  need  them,  while  actually 
saving  money  and  retaining  a  level  of  management  control.  The  trick  lies  in  setting 
yourself  up  for  success.  CIOs  who  want  to  make  co-sourcing  work  must  first  ensure 
that  both  they  and  the  vendor  have  the  right  capabilities,  then  set  expectations  and 


74 


NOVEMBER  15,  2005  |  www.cio.com 


i 


PHOTO  BY  CANCAN  CHU 


To  keep  his  outsourcing  alliance  with  Zhejiang  University 
on  track,  State  Street  CTO  Jerry  Cristoforo  (at  computer) 
regularly  visits  Hangzhou,  China,  to  collaborate  with  Zhejiang 
faculty  including  (clockwise  from  upper  left)  Greg  Au-Yeung, 
Bo  Zhou,  Xiaohu  Tang,  Jianling  Sun  and  Zhijun  He. 


Outsourcing 


governance  processes  for  a  mutually  beneficial  alliance,  and  finally 
revisit  those  expectations  and  management  rules  to  sustain  value 
throughout  the  relationship.  It  may  not  be  easy,  says  Ross,  but  “it’s 
totally  achievable.” 

Getting  to  Know  You 

After  the  missteps  with  his  first  attempt  at  a  co-sourcing  alliance,  Del- 
man  took  some  time  to  make  sure  he  had  his  footing  the  second  time 
around.  As  maintenance  on  his  content  management  system  grew 
more  onerous,  he  once  again  sought  out  an  outsourcer.  His  ultimate 
goal  was  to  create  a  new,  more  flexible  application  to  manage  content, 


which  approached  3GB  in  2003.  But  he  didn’t  jump  into  another  devel¬ 
opment  project  with  a  vendor.  Rather,  he  hired  Cordiant  to  maintain 
the  application  that  the  previous  outsourcer  had  developed.  Cordiant, 
based  in  Kochi,  India,  spent  more  than  a  year  doing  maintenance  on 
the  system  before  even  considering  the  development  of  a  new  system. 

That’s  how  Delman  avoided  the  snags  he  had  had  with  the  previous 
co-sourced  development  project.  “By  doing  maintenance,  [Cordiant] 
learned  what  the  system  was  about  in  terms  of  content,  and  they  were 
able  to  see  how  it  could  be  streamlined,”  he  says.  “The  maintenance 
period  also  gave  them  time  to  smooth  out  potential  problems.  “It 
was  a  good  way  to  find  out  what  the  communication  levels  were. 
You  find  out  if  when  you  say  blue,  they  see  the  same  blue.  A  lot  of 
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IT  executives  entering  into  IT  and 
business-process  outsourcing 
arrangements  seek  a  variety  of 
benefits,  including  cost  reduc¬ 
tions,  variable  capacity  and 
reduced  management  time  spent  on  IT. 

But  outsourcing  succeeds  only  if  the  ven¬ 
dor,  as  well  as  the  client,  achieves  expect¬ 
ed  benefits.  Often  client  and  vendor  inter¬ 
ests  are  not  aligned.  How  can  clients  and 
vendors  settle  into  a  “sweet  spot”  where 
their  interests  coincide?  New  MIT  CISR- 
C/0  research  has  examined  90  outsourc¬ 
ing  deals  in  84  companies  to  help  execu¬ 
tives  recognize  opportunities  for  long-term 
benefits  from  outsourcing  relationships. 

The  research  found  that  the  outsourcing 
sweet  spot  depends  on  the  nature  of  the 
client-vendor  relationship.  There  are  three 
types  of  outsourcing  relationships:  1.  a 
transaction  relationship  in  which  an  out¬ 
sourcer  executes  a  well-defined,  repeatable 
process  for  a  client;  2.  a  co-sourcing  alliance 
in  which  client  and  vendor  share  manage¬ 
ment  responsibility  for  project  success; 
and  3.  a  strategic  partnership  in  which  an 
outsourcer  takes  on  responsibilities  for  a 
bundle  of  client  operational  services. 

The  first  article  in  this  three-part  series 
explored  transaction  relationships.  This 
article  focuses  on  co-sourcing  alliances, 
describing  how  responsibilities  are  shared 
between  the  client  and  vendor,  the  value 
that  each  party  seeks  and  the  inherent 
tensions  in  the  arrangement. 


How  to  Maximize  Value  from 
Co-Sourcing  Alliances 

In  a  co-sourcing  alliance,  clients  and  ven¬ 
dors  share  management  responsibilities, 
usually  for  application  project  initiatives. 
They  draw  on  both  the  vendor's  special¬ 
ized  technical  skills  and  the  client’s  deep 
business  knowledge. 

Client  interest  in  co-sourcing  arises  from 
the  desire  to  access  lower-cost  but  higher- 
quality  technology  and  project  management 
expertise  while  maintaining  control  over  the 
project.  Vendors  seek  to  develop  industry 
and  application  knowledge  as  they  deliver 
expertise  at  a  cost  that  often  mixes  local  and 
offshore  labor  rates.  When  the  client  and 
vendor  both  have  strong  capabilities,  they 
create  a  mutually  beneficial  arrangement. 

The  contribution  of  the  outsourcer  in  a 
co-sourcing  alliance  is  difficult  to  isolate 
from  the  contribution  of  the  client’s  employ¬ 
ees.  For  example,  Dow  Chemical,  which 
deploys  project  teams  with,  on  average,  four 
vendor  employees  for  every  internal  team 
member,  has  a  set  of  metrics  to  assess 
team  productivity  on  factors  such  as  func¬ 
tion  points.  But  ultimately,  Dow  CIO  David 
Kepler  notes,  the  measure  of  success  for 
the  outsourcing  arrangement  is  the  project 
outcome.  He  considers  his  alliance  a  suc¬ 
cess  because  alliance  teams  consistently 
deliver  high  functionality  on  time  and  on 
budget.  Kepler  does  not  know— or  care— 
whether  outcomes  would  be  different  if  the 
vendor  were  not  involved.  He  has  an  afford¬ 


able  variable  staffing  model  that  works. 

Co-sourcing  alliances  present  risks  to 
both  clients  and  vendors.  For  clients,  gen¬ 
erating  value  requires  relying  on  vendor 
expertise,  but  too  much  reliance  can  result 
in  insufficient  internal  knowledge  to  apply 
new  technologies  effectively.  Vendor  risk 
results  from  the  need  to  teach  project 
methodology  to  the  client.  Vendors  run  the 
risk  of  working  themselves  out  of  a  job  as 
they  strengthen  their  clients'  skills. 

Understand  the  Three  Types 
of  Outsourcing  Deals 

Companies  can  become  competent  in  all 
three  types  of  relationships.  It  is  important 
to  match  specific  outsourcing  needs  with 
the  appropriate  type  of  relationship. 

Clients  managing  transaction  relation¬ 
ships  as  strategic  partnerships  incur  expen¬ 
sive  and  unnecessary  overhead.  Co-sourcing 
that  is  treated  like  anything  but  a  team  envi¬ 
ronment  is  sure  to  suboptimize  outcomes. 
And  clients  and  vendors  in  strategic  partner¬ 
ships  who  refuse  to  regularly  renegotiate  will 
become  embroiled  in  bitter  contract  battles. 
In  all  outsourcing  relationships,  both  client 
and  vendor  should  target  the  sweet  spot  to 
maximize  benefits. 


Jeanne  W.  Ross  is  principal  research  scientist  at  MIT’s 
Center  for  Information  Systems  Research.  Cynthia  M. 
Beath  is  a  professor  emerita  in  the  Department  of 
Information,  Risk  and  Operations  Management  at  the 
University  of  Texas  at  Austin. 
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learning  happened  in  that  maintenance 
phase.” 

When  it  was  time  to  start  development 
on  a  new  system  in  June  2004,  both  client 
and  vendor  were  in  agreement  about 
what  would  work  best  for  TMA.  Cor- 
diant  began  work  on  an  open-source 
content  management  system.  Within 
seven  months,  Cordiant  completed  the 


Farrell  Delman,  CIO  of  the  Tobacco 
Merchants  Association,  views  his 
outsourcer  as  "my  own  internal 
systems  department." 
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system  for  $300,000;  Delman  estimates 
it  would  have  cost  $2  million  to  do  in- 
house.  But  more  importantly,  the  com¬ 
pany  delivered  a  system  that  met  TMA’s 
needs  for  a  dynamic  content  manage¬ 
ment  system  in  full.  And  that’s  saying  a 
lot  for  Delman,  who  by  his  own  admis¬ 
sion  is  “a  little  obsessed  about  [the]  appli¬ 
cations”  on  which  TMA’s  business  model 
hinges.  “If  they  don’t  work,”  he  says,  “we 
don’t  sell.” 

Delman  expects  to  renew  the  contract 
with  the  outsourcer  in  2007.  “What  I  have 
with  Cordiant  is  the  relationship  I  would 
have  with  my  own  internal  systems 
department,”  he  says.  “In  fact,  I  view  them 
as  my  own  internal  systems  department.” 

TMA’s  second  attempt  at  co-sourcing  worked  well  because  Delman 
chose  the  right  partner  and  allowed  time  for  the  two  companies  to 
learn  one  another’s  capabilities  and  needs.  Ross  explains  that  “if  you 
start  small  and  take  the  time  to  learn  how  to  do  it,  co-sourcing  can  be 
a  natural  to  help  CIOs  access  IT  talent  at  lower  offshore  rates  while 
making  better  use  of  their  internal  staff.” 

At  State  Street,  the  seeds  of  a  successful  co-sourcing  alliance  go 
back  a  quarter  century.  Jerry  Cristoforo,  State  Street’s  CTO  and  exec¬ 
utive  VP  of  enterprise  information  and  global  markets  technology 
services,  formed  a  relationship  with  Zhijun  He,  the  founder  of  the 
computer  science  program  at  China’s  Zhejiang  University,  way  back 
in  1980.  Fast-forward  25  years  and  State  Street  has  developed  a 
co-sourcing  alliance  with  UniverseSoft  Technology,  an  outsourcing 
company  spun  out  of  the  university  that  is  dedicated  to  application 
development  and  maintenance  for  the  Boston-based  financial  services 
company.  State  Street  owns  81  percent  of  the 
company,  the  university  19  percent. 

Before  the  company  was  formed  in  2003, 

State  Street  used  the  university’s  PhD  candi¬ 
dates  for  R&D  work.  Although  his  relation¬ 
ship  with  He  had  been  close  for  years, 


Cristoforo  knew  he  had  to  take  some  time  to  develop  the  alliance 
between  State  Street’s  IT  staff  and  business  users  and  the  student- 
developers  in  China.  In  2001,  three  Zhejiang  professors  spent  nine 
months  in  Boston  working  with  State  Street’s  development  managers, 
getting  to  know  the  business  and  taking  on  several  long-term  techni¬ 
cal  projects  as  project  managers.  Development  was  done  back  in  China. 

Soon  after,  State  Street  ran  into  a  problem  with  its  trade-execution 
software.  The  company  had  acquired  the  system  in  1997  in  antici¬ 
pation  that  the  transition  management  business  (which  has  to  do 
with  high-volume  asset  reallocation)  would  take  off.  It  didn’t,  and  the 
employees  who  knew  the  system’s  inner  workings  ultimately  left 
the  company.  In  2002,  transition  management  activity  suddenly 
went  through  the  roof,  but  the  software  supporting  it  was  no  longer 
current.  It  went  from  crashing  once  a  year  to  several  times  an  hour, 
and  there  was  no  one  around  with  the  knowledge  to  fix  it. 

Cristoforo  realized  he  had  a  solution  at  hand: 
the  developers  at  Zhejiang.  There  was  no  doubt 
they  were  talented.  The  only  question  was 
whether  they  could  fix  the  problem  fast 
enough,  since  they’d  previously  worked  only  in 
R&D  mode.  But  the  combination  of  the  techni- 
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cal  minds  in  China  and  the  business  knowledge  in  Boston,  linked  by  the 
project  managers  in  both  locations,  resulted  in  success.  “In  10  months, 
we  were  in  production  with  the  new  system,”  Cristoforo  says. 

Zhejiang  was  a  great  resource  for  State  Street,  but  not  a  permanent 
one.  “When  we  did  that  project,  all  of  a  sudden  we  had  all  this  core 
development  knowledge  at  the  university,”  Cristoforo  says.  “But 
what  happens  when  one  of  those  wonderful  students  graduates?”  So 
he  worked  with  the  university  to  establish  a  company  that  could 
offer  long-term  employment  to  Zhejiang  graduates  to  work  on  State 
Street  application  development  and  maintenance.  UniverseSoft  Tech¬ 
nology  has  gone  on  to  help  State  Street  deal  with  a  whole  host  of 
legacy  application  issues— from  high-end  development  to  grunt 
work-in  record  time  and  at  low  costs. 

Cristoforo  refuses  to  call  the  relationship  with  Zhejiang  “out¬ 
sourcing.”  “When  you’re  dealing  with  an  outsourcing  model,  what 
you’re  doing  tends  to  be  more  in  the  tactical  interest  of  the  company. 
When  you’re  co-sourcing,  it’s  more  of  a  long-term  relationship  and 
it’s  in  the  strategic  interest  of  a  company,”  he  says. 

All  for  One  and  One  for  All 

Like  any  outsourcing  model,  co-sourcing  will  work  only  if  the  client 
and  vendor  both  get  something  out  of  the  relationship,  says  CISR’s 


Align  for  Outsourcing  Success 

Co-sourcing  alliances  work  when  both  sides  are  equally  engaged 

Co-Sourcing:  Objectives 


What  clients  want 

■  Cost  savings 

■  Access  to  expertise 
on  demand 


The  Sweet  Spot 
(a  successful  outcome) 

■  Variable  project  staffing 

■  Leverage  with  remote 
partners 

■  Disciplined  project 
management 


Co-Sourcing:  What  it  is,  the  benefits  and  the  risks 
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Ross.  The  vendor  gets  the  benefit  of  developing  industry-  and  appli¬ 
cation-specific  skills  by  working  on  the  client’s  project,  while  the 
client  reaps  the  vendor’s  technology  expertise  at  low  costs.  But  a  real 
eo-sourcing  alliance  goes  a  step  further,  sharing  project  risk  as  well. 

Guy  de  Poerck,  CIO  of  the  International  Finance  Corp.  (IFC),  an 
arm  of  the  World  Bank  that  promotes  private-sector  investment, 
views  that  concept  of  shared  risk  as  critical  to  the  application  devel¬ 
opment  and  maintenance  work  it  sends  to  its  partners  in  India.  IFC 
has  been  using  Satyam  Computer  Systems  for  application  develop¬ 
ment  work  for  just  18  months,  but  it  has  quickly  moved  from  paying 
for  the  work  on  a  eost-and-materials  basis  to  a  fixed-cost  model. 
Client  and  vendor  decide  ahead  of  time  how  much  money  will  be 
spent  on  all  application-related  work. 

To  do  so,  de  Poerck  must  be  completely  open  with  Satyam.  He 
shares  IFC’s  IT  and  business  plans  so  that  the  outsourcer  can  deter¬ 
mine  what  resources  will  be  required  to  support  IFC’s  ongoing  proj¬ 
ects.  And  Satyam  must  stick  to  the  initial  budget  (unless  the  scope  of 
a  project  changes)  if  it  wants  to  profit  from  the  relationship.  “It’s  a 
true  sharing  of  risk,”  says  de  Poerck.  “You  can’t  approach  this  like 
you’re  buying  a  commodity  and  saying,  ‘Here  are  my  operations— do 
a  survey  and  make  me  a  deal.’  With  co-sourcing  you  have  to  engage 
with  each  other  at  a  really  detailed  level.” 

But  it  wasn’t  easy  for  IFC  to  get  to  that  point.  De  Poerck  began 

working  with  Satyam  in  early  2004  on  a 
pilot  project,  paying  for  time  and  materials. 
But  to  truly  share  risk  and  management, 
de  Poerck  realized  that  his  department 
would  have  to  gain  a  better  understand¬ 
ing  of  its  processes  than  it  had  at  the  outset. 
“You  need  to  know  exactly  what  all  your 
processes  are  and  what  your  service  levels 
are  and  have  that  documentation  ready,” 
says  de  Poerck.  “Very  often  you  will  find 
that  you  don’t.  But  co-soureing  is  a  fantastic 
way  to  force  yourself  to  do  that  and  raise  the 
[service]  level  of  your  own  IT  department.” 

Another  important  ingredient  in  the 
co-sourcing  equation  is  the  level  of  trust 
and  openness  required.  IFC  insists  on 
having  “100  percent  visibility”  into  who 
Satyam  puts  on  its  projects,  says  IFC’s 
information  officer  and  offshore  manager, 
Zafar  Azhar,  who  reports  to  de  Poerck.  One 
reason  is  that  IFC  has  opened  its  network 
to  Satyam.  “We  treat  the  development  cen¬ 
ter  at  Satyam  in  Chennai  the  same  way  that 
we  treat  all  of  IFC’s  other  105  country 
offices  around  the  world,”  says  Azhar.  “We 
do  the  same  checks  on  [the  employees]  and 
ask  for  their  passports,  which  starts  a 
process  to  do  background  checks.” 

A  major  risk  with  co-sourcing  alliances, 
according  to  Ross,  is  an  imbalance  of 
inputs  between  client  and  vendor.  If  a  CIO 


What  vendors  offer 

■  Low-cost  labor 

■  Project  management 
expertise 

■  Expertise  on  specialized 
technologies 
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Outsourcing 


Co-S«ftoSoftoSfdoot  . . 

Offshoring  requires  an  awareness  of  cultural  differences 

Successful  co-sourcing  is  all  about  client  and  vendor  meeting  each  other  halfway.  And  that 
goes  beyond  the  exchange  of  technical  skills  and  business  knowledge.  Communication  and 
cultural  awareness  are  also  important,  say  CIOs. 

State  Street,  which  co-sources  application  development  with  UniverseSoft  Technology  in 
China,  holds  cultural  and  language  classes  for  its  Boston-based  employees.  “They  learn  things 
like  how  to  address  their  Chinese  counterparts,  pronounce  their  names,  et  cetera,"  says  Jerry 
Cristoforo,  CTO  and  executive  VP  of  enterprise  information  and  global  markets  technology 
services.  "The  problems  that  you  usually  think  about  with  outsourcing— coding,  policies, 
processes— are  just  the  tip  of  the  iceberg.  The  hidden  parts  are  the  values  and  the  culture  of  the 
people  involved.  You  have  to  be  sensitive  to  that  if  [an  outsourcing]  program  is  to  be  successful.” 

Michael  Agnew,  managing  director  of  Omgeo,  visits  his  co-sourcing  partner  in  Mumbai  twice  a 
year  and  never  arrives  empty-handed.  “I  bring  gifts  to  my  partners.  Even  though  I’m  the  cus¬ 
tomer,  I  take  them  out  to  dinner,  which  is  not  usually  the  way  things  work  with  clients  and  ven¬ 
dors,"  he  says.  “They  know  we’re  happy  customers  and,  knowing  they’re  appreciated,  they’re 
inspired  to  perform.  You  have  to  treat  your  partner  the  way  you  would  want  to  be  treated.”  -S.O. 


relies  too  much  on  the  outsourcer’s 
technical  prowess,  his  staff  may 
lack  the  knowledge  to  use  the  appli¬ 
cations  effectively.  Conversely,  if 
a  vendor  spends  too  much  effort 
imparting  its  software  development 
or  project  knowledge  to  the  client,  it 
could,  in  essence,  share  itself  right 
out  of  a  contract. 

That  Side’s  Yours 
and  This  Side’s  Mine 

The  mechanism  for  co-sourcing  suc¬ 
cess— a  true  sense  of  partnership- 
can  also  be  its  downfall.  Boundaries 
between  the  two  sides  can  become 
blurred.  It’s  often  difficult  to  tell 
exactly  what  the  client  is  contributing 
and  what  the  vendor  is  providing, 
says  Ross,  and  that  can  lead  to  problems.  CIOs  who  succeed  at  these 
relationships  seek  to  define  the  separate  contributions  of  client  and 
vendor— even  down  to  individual  responsibilities— without  detracting 
from  the  collaborative  nature  of  co-sourcing. 

Omgeo,  a  software  provider  for  the  securities  trading  industry,  began 
co-sourcing  with  Indian  company  Patni  last  year.  The  arrangement  has 
worked  so  well  that  Omgeo  Managing  Director  Michael  Agnew  refers 
to  Patni  as  “the  development,  QA  and  testing  unit”  of  Omgeo.  Yet  he  has 
been  careful  to  specify  who  does  what.  “It’s  part  of  our  project  charter 
process  to  set  and  write  up  all  roles  and  responsibilities  up  front,”  says 
Agnew.  “We  understand  what  all  the  accountabilities  are  by  function, 
by  project  and  by  individual.”  But  simply  saying  who’s  responsible  for 
what  isn’t  enough.  “The  lesson  I’ve  learned  with  any  partner  is  that 
being  very  formal  in  the  communication  process  and  setting  expecta¬ 
tions  clearly  up  front  is  paramount  to  success,”  says  Agnew.  “All 
throughout  the  project  lifecycle,  it  should  be  clear  who’s  handling  what.” 

At  the  highest  level,  there’s  an  Omgeo  global  sourcing  director 
who  oversees  all  outsourcing  and  monitors  all  metrics  from  cost  to 
performance  to  headcount.  There  are  also  Omgeo  project  managers 
who  direct  development  teams  and  work  with  the  vendor’s  project 
manager.  Three  Omgeo  managers  are  responsible  for  working  with 
Patni’s  quality  assurance  team  in  Mumbai.  And  most  importantly, 
there’s  the  Omgeo  program  manager  for  Patni  who  deals  directly 
with  Patni’s  equally  important  relationship  manager  for  Omgeo. 

Mary  Laeity,  professor  of  information  systems  at  the  University  of 
Missouri,  says  having  the  right  people  in  the  relationship  management 
roles  is  a  make-or-break  proposition  for  a  co-sourcing  alliance.  “If 
you  get  the  two  primary  point  people  right— the  alliance  managers  for 
customer  and  supplier— you’ll  be  fine,”  she  says.  “It’s  hard  to  find  the 
right  people.  But  if  those  two  people  can  be  completely  frank,  be  com¬ 
pletely  honest  about  the  people  in  their  own  organization  rather  than 
necessarily  protect  them,  and  even  share  financial  information— ‘This 
is  what  my  margins  are,  and  this  is  what  I  can  do’— then  it  works.” 


Howto  Measure  Success 
and  Sustain  Value 

Certainly,  a  successful  co-sourcing  project  is  one  that  comes  in  on 
time  and  on  budget  and  works  well.  But  evaluating  a  co-sourcing 
relationship  goes  deeper  than  that. 

For  State  Street’s  Cristoforo,  project  milestones  are  just  the  tip  of 
the  iceberg;  a  bigger  issue  is  whether  his  co-sourcing  arrangement 
can  be  sustained  over  the  long  haul.  If  specific  issues  arise  during  a 
project— say,  problems  with  coding  or  processes— that’s  a  signal  to 
Cristoforo  that  a  deeper  problem  could  be  lying  underneath.  “It 
really  doesn’t  matter  if  you’re  making  deliverables  if  you  don’t  have 
sustainability,”  he  says.  For  Cristoforo,  success  in  this  kind  of  part¬ 
nership  can  be  measured  only  over  a  long  period  of  time:  “We’ve 
been  working  with  Zhejiang  close  to  five  years.  We’ve  been  with 
them  as  they’ve  grown  from  15  people  supporting  us  to  300  people. 
They’ve  proven  they  can  handle  all  kinds  of  work,  from  high  fidelity 
to  low  fidelity.  We  have  many  different  development  communities  at 
State  Street,  and  Zhejiang  is  now  integrated  with  most  of  them.” 
These  are  all  mounting  signs  of  success  for  Cristoforo. 

Back  at  TMA,  Delman  compares  his  co-sourcing  alliance  with  Cor- 
diant  to  another  solid  relationship  he  has.  “I  view  it  as  a  marriage. 
When  something’s  really  wrong,  it’s  obvious.  But  when  things  are 
going  well,  you  don’t  usually  notice  it.  Sure,  some  days  it’s  my  birthday. 
And  some  days  my  daughter  brings  home  a  C  to  us.  But  normally 
things  are  pretty  much  like  they  were  the  day  before,”  Delman  says.  “It’s 
the  same  way  with  my  co-sourcing  relationship.  Sometimes  I’m  delight¬ 
fully  surprised.  Sometimes  I’m  a  little  annoyed  because  I  don’t  under¬ 
stand  why  some  things  take  so  long  when  others  happen  faster.  But 
there’s  a  certain  rhythm  to  the  relationship  that  I’m  used  to  that  tells  me 
things  are  moving  along.”  rara 


Senior  Editor  Stephanie  Overby  (s overby@cio.com)  covers  outsourcing. 
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Certif  iably  Sane 

Not  certifying  IT  workers’  cross-platform  knowledge 
borders  on  madness 

Do  you  remember  that  childhood  song  “the  knee 
bone’s  connected  to  the  shin  bone,  the  shin  bone’s  con¬ 
nected  to  the  foot  bone”?  I  was  thinking  about  that  when 
I  recently  came  across  an  April  1, 1999,  column  I  penned 
in  CIO  that  called  for  the  mandatory  certification  of 
enterprise  IT  workers.  I  called  the  program  the  National 
Enterprise  Software  Certification  program.  Back  then, 

I  was  worrying  about  Y2K. 

Now  I’m  worried  that  we’re  in  the  early  stages  of  a 
massive  hardware,  software  and  network  infrastruc¬ 
ture  buildout,  and  I  don’t  believe  most  tech  workers  have  received  adequate  cross-tech¬ 
nology  training.  Businesses  and  CIOs  tend  to  segment  their  resources  by  technology, 
with  some  staff  proficient  in  database  software,  others  in  e-business  applications  and  so 
on.  Current  vendor-sponsored  certification  programs,  though  well-intentioned,  support 
this  silo  structure. 

But  the  future  “dynamic  enterprise”  (as  IDC  research  calls  it)  will  be  a  real-time, 
burst-mode  information  engine  built  on  the  wheels  of  mobility,  spanning  new  hardware 
architectures,  both  open  and  proprietary  software  systems  and  network  technologies. 
Consequently,  a  small  problem  in  the  knee  bone  will  cause  a  huge  problem  in  the  foot 
bone.  Or  the  hip  bone.  Take  your  pick. 

Hence  my  point:  The  time  has  come  to  augment  vendor-sponsored  certification  with 
a  mandatory,  national  program  administered  by  state  governments  that  would  quantify 
the  cross-platform  knowledge  of  our  nation’s  information  technology  workers. 

I  am  therefore  resurrecting  my  call  for  a  National  Enterprise  Software  Certification  pro¬ 
gram.  I  see  CIOs  and  vendors  working  together  to  build  the  key  components  of  the  pro¬ 
gram.  This  wouldn’t  be  an  academic  exercise;  it  would  be  practical  and  practice-based.  q 

UJ  fl 

Doctors,  lawyers,  dentists,  truck  drivers,  pilots,  teachers  and  cosmetologists  must  pass  £ 

<c  9 

certification  programs  before  they  can  serve  the  public.  If  we  really  believe  IT  is  a  foun- 

CQ 

dation  of  our  society  isn’t  it  time  to  add  IT  workers  to  that  list?  2  | 

Am  I  certifiably  crazy  to  suggest  such  an  idea?  Should  this  idea  be  cut  off  at  its  knees? 

Or,  might  the  industry  consider  it?  Your  certified  publisher  encourages  you  to  share  your 
thoughts  with  me  at  the  e-mail  address  below.  £ 


Gary  J.  Beach,  Publisher 

gbeach(a)cio.com 
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IT  supports  and  controls  the  applications  that  run  the  business. 

Now  there's  an  application  to  support  and  control  the  business  of  IT. 

Maximo1'  ITSM,  the  most  comprehensive  IT  asset  and  service  management  solution,  is  the  only  business  application  that 
substantially  improves  the  business  of  IT.  By  unifying  IT  service,  asset  and  work  management  on  a  single  software  platform, 

Maximo  ITSM  delivers  the  control  and  visibility  you  need  to  align  IT  service  levels  with  your  overall  business  goals.  All  you  need 
to  integrate  and  automate  processes,  reduce  unplanned  outages,  standardize  and  share  information  and  surpass  your  service-level 
commitments.  To  make  your  IT  organization  more  efficient  and  more  valuable,  call  800-326-5765  or  download  our 
PaPes<  Maximo  1 7  Service  Management:  Leveraging  iTIL,  atwww.maximoit.com/cio. 

-  £ 

mro  software  I 

make  it  «//  count  ® 

©2005.  MRO  Software,  Inc.  All  rights  reserved.  Maximo  is  a  registered  trademark  and  MRO  Software  is  a  trademark  of  MRO  Software,  Inc.  \  ]W' 
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11  15  05  EXECUTIVE  summaries 


CEO  Wayne  Luthringshausen  of  The 

Options  Clearing  Corp.:  “My  CIO’s  office 
is  catty-corner  to  mine.  We  see  each 
other  every  day.  He  would  have  to  make 
a  real  effort  to  hide  something  from  me.” 
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52  |  FIXING  THE  REQUIREMENTS  MESS 

ANALYSTS  REPORT  THAT  as  many  as  71  percent  of  software  projects  that  fail  do  so 
because  of  poor  requirements  management,  making  it  the  single  biggest  reason  for  project 
failure.  Though  CIOs  are  rarely  directly  responsible  for  requirements  management,  they 
are  accountable  for  the  outcomes,  which  can  include  project  delays,  software  that  does  not 
do  what  it  is  supposed  to  do  and,  worst  of  all,  software  that  may  not  work  correctly  when 
rolled  out,  putting  the  business— and  the  CIO’s  job— at  risk.  Some  CIOs  are  rethinking 
requirements.  One  decided  to  simply  enforce  rules  that  should  have  been  enforced  all 
along.  Another  rewrote  the  rules  from  the  ground  up.  And  a  pair  threw  out  the  old  rule 
books  completely,  one  taking  a  business-process-focused  approach  and  the  other  focusing 
on  building  applications  with  quick  iterations  rather  than  long  requirements  documents. 
But  they  all  say  that  you  should  pick  a  formal  requirements-gathering  process  and  stick 
to  it.  By  Christopher  Lindquist 


68  |  KEEPING  UP  WITH 
THE  MERRILL  LYNCHES 

AS  CEO  of  The  Options  Clearing  Corp., 
which  depends  heavily  on  IT  to  clear 
options,  futures,  derivatives  and  other 
complex  financial  trades  for  its  clients, 
Wayne  Luthringshausen  knows  he 
can’t  stint  on  new  technologies  or  costs. 
His  company,  after  all,  has  to  keep  up 
with  its  most  sophisticated  clients, 
brokerage  houses  such  as  Merrill  Lynch. 
A  large  part  of  Luthringshausen’s  job 
is  to  serve  as  an  intermediary  between 
IT  and  those  clients.  In  this  View 
from  the  Top  interview,  he  tells  CIO 
how  he  juggles  that  responsibility 
without  taking  over  the  CIO  role. 

By  Ben  Worthen 


! 
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63  |  TESTING,  1,  2,  3.. .11 

TESTING  IS  ESSENTIAL  to  developing  high-quality  software  and  to  ensuring  smooth 
business  operations.  It  can’t  be  given  short  shrift;  the  consequences  are  too  dire.  Businesses— 
and,  in  some  cases,  lives— are  at  risk  when  a  company  fails  to  adequately  and  effectively 
test  software  for  bugs  and  performance  issues,  or  to  determine  whether  the  software 
meets  business  requirements  or  end  users’  needs.  Here  we  describe  11  best  practices  that 
will  improve  your  software  testing  processes,  ranging  from  colocating  testers  with  develop¬ 
ers  to  dedicating  testers  to  specific  applications  and  systems.  By  Meridith  Levinson 


74  |  OFFSHORE  ALLIES 

MANY  CIOs  HAVE  SENT  application  development  and  maintenance  work  offshore, 
hoping  to  save  money  while  taking  advantage  of  deep  technical  expertise  in  India  and 
other  outsourcing  hot  spots.  But  such  arrangements  fail  37  percent  of  the  time,  according 
to  a  recent  study  by  MIT’s  Center  for  Information  Systems  Research  (CISR)  and  CIO.  One 
way  to  help  offshoring  deals  succeed  is  to  treat  them  as  “co-sourcing  alliances,”  in  the 
study’s  terminology.  This  second  article  in  a  three-part  series  on  the  CISR-C/O  research 
details  the  requirements  for  co-sourcing  success:  The  client  and  vendor  must  both  have 
strong  capabilities,  CIOs  have  to  set  expectations  and  governance  processes  for  mutual 
benefit,  and  they  should  be  ready  to  revisit  those  expectations  and  management  rules  to 
sustain  co-sourcing  value.  By  Stephanie  Overby 
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NETWORK 

The  largest  and  fastest 
national  wireless  data  network. 
The  largest  U.S.  provider  on 
the  global  standard. 


EXPERTISE 

Our  people  and  partners 
make  wireless  work  for 
more  businesses  than  any 
other  wireless  carrier. 


APPLICATIONS 

The  broadest  and  deepest 
portfolio  of  wireless 
business  solutions. 


SERVICE 

24/7  enterprise-grade 
support.  And  a  service 
staff  dedicated  solely 
to  business  people. 


re  a  time 


gets  Corporate 


Express  there  in  no  time. 


With  its  24/7  dedicated  business 
service  team,  Cingular  gave 
Corporate  Express  the  support, 
training,  and  technology  needed 
to  migrate  from  a  paper-based 
delivery  system  to  a  real-time 
wireless  solution.  From  system 
installation  and  operation  to 
employee  training,  the  Cingular 
service  team  ensured  a  seamless 
transition  to  the  ALLOVER™  network,  the  largest  digital  voice  and 
data  network  in  America.  For  the  leader  in  office  supplies,  Cingular 
increased  driver  productivity  while  reducing  administrative  costs. 


CINGULAR  MAKES  BUSINESS  RUN  BETTER 

X  cingular 

raising  the  barT.iill 

Find  out  how  Cingular  can  make  your  business  run  better: 

CALL  your  account  representative  -or-  CLICK  cingular.com/businessleader 


Circular's  ALLOVER  data  network  covers  over  250  million  people  and  is  growing. 

Coverage  is  not  available  in  all  areas.  Global  coverage  based  on  coverage  in  174  countries.  Fastest  claim  compares  Cingular's  measured  speed  ot  its  EDGE 
network  to  other  carriers’  speed  claims  for  their  national  data  networks.  All  marks  property  of  their  respective  owners.  ©2005  Cingular  Wireless.  All  rights  reserved. 


Compliance  = 


ROI 

See  beyond  compliance  as  a  burden, 
a  diversion  of  capital,  a  drain  on  your 
productive  assets.  How  you  respond  to 
regulation  can  actually  enhance  your 
business  processes  and  IT  operations. 
With  IT  management  software  from 
CA,  you  automate  controls  over  business 
process  and  policy.  Enhance  the  flow  and 
security  of  information.  And  sustain 
productivity  of  your  systems  and  people 
at  higher  levels.  Over  95  percent  of  the 
Global  1000  rely  on  CA  software. 

Learn  what  the  return  on  compliance 
can  amount  to  for  your  business  at 
ca.com/compliance.  Or  call 
1-800-225-5224,  promo  code  1725. 
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